[Freeipa-devel] [PATCH] 982 tweak to no_init patch

Rob Crittenden rcritten at redhat.com
Wed Mar 14 19:52:02 UTC 2012


Martin Kosek wrote:
> On Wed, 2012-03-07 at 16:50 -0500, Rob Crittenden wrote:
>> I discovered today that cert-request was failing with an untrusted CA error.
>>
>> The problem had to do with the NSS no_init patch. We were setting dbdir
>> in the connection object too soon so it was comparing itself to itself
>> and always determined that NSS was initialized just fine. This needs to
>> be moved after the check.
>>
>> To test this you need a master, a replica and a client with DNS set up
>> and SRV records for both servers.
>>
>> You need two or more servers so we run the ping() test. This is where
>> the client was failing before. What would happen is this:
>>
>> - initialize NSS
>> - run ping() against a server
>> - prepare request
>> - initialize NSS
>> - FAIL
>>
>> That second initialization isn't needed and is correctly caught by the
>> code with this patch.
>>
>> You need to test that a client enrollment works and that ipa
>> cert-request works.
>>
>> cert-request was failing because we initialize NSS with nodb so we can
>> load the CSR for validation. Because dbdir was set too early in the
>> connection we were getting no_init set improperly and nss_shutdown()
>> wasn't being called.
>>
>> rob
>
> Works for me, ACK.
>
> Please enhance testing instructions in the ticket. I had some issues
> reproducing the problem myself, but your advice sent off-list helped me.
> This should be enough.
>
> Martin
>
>

pushed to master and ipa-2-2




More information about the Freeipa-devel mailing list