Comments

88 Comments
karma

The new build also breaks FreeIPA's CI and Azure testing pipeline

karma

I have successfully tested pki-core 10.9.0-0.4 build with FreeIPA last week.

karma

I have successfully tested pki-core 10.9.0-0.4 build with FreeIPA last week.

BZ#1832841 mod_md does not work with ACME server that does not provide keyChange or revokeCert resources
karma

The new build fixes the cert validation issue for me:

# rpm -qa gnutls
gnutls-3.6.13-6.fc32.x86_64
# gnutls-cli api.ipify.org
Processed 150 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '23.21.153.210:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is trusted. 
- Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM)
- Session ID: 7A:F6:D0:6D:48:15:16:62:A5:F5:E4:AE:BB:C5:10:1C:C2:50:12:F7:AF:AB:39:0B:CE:9B:07:29:02:15:2D:A2
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:

^C

Before upgrade:

# rpm -qa gnutls
gnutls-3.6.13-4.fc32.x86_64
# gnutls-cli api.ipify.org
Processed 150 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '204.236.231.159:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue

The update solves the issue with Bind9 named and OpenSSL PKCS#11 engine in FIPS mode (tested on F31, F32 uses the same patch and version of libp11).

BZ#1827535 PKCS11 engine does not work in FIPS mode: RSA_new_method:non FIPS rsa method

The update solves the issue with Bind9 named and OpenSSL PKCS#11 engine in FIPS mode.

BZ#1827535 PKCS11 engine does not work in FIPS mode: RSA_new_method:non FIPS rsa method
karma

The new release fixes the AVC that breaks FreeIPA's DNSSEC support.

The remaining issues have to be fixed in IPA.

BZ#1825812 AVC avc: denied { dac_override } for comm="ods-enforcerd

It's the secret. Alexander is working on a PR to address the issue, https://github.com/freeipa/freeipa/pull/4337

karma

I confirm that the update fixes the email quoting issue in FreeIPA.

BZ#1731100 Label escaping bug for special characters breaks ipa dnszone-show
karma

I confirm that the update fixes the email quoting issue in FreeIPA.

BZ#1731100 Label escaping bug for special characters breaks ipa dnszone-show
BZ#1775146 POST request with TLS 1.3 PHA client auth fails: Re-negotiation handshake failed: Client certificate missing
karma

FreeIPA PR https://github.com/freeipa/freeipa/pull/3911with TLS 1.3 enabled is now passing basic tests. TLS 1.3 post-handshake client cert auth of POST requests is working as expected.

Thanks for the quick fix!

BZ#1775146 POST request with TLS 1.3 PHA client auth fails: Re-negotiation handshake failed: Client certificate missing
karma

New build works for me

karma

New build works for me

Works for me