mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Don't set dbdir in the connection until after the connection is created.
We were comparing the current connection with itself so were never going to call nss_shutdown(). dbdir needs to be set after the connection has been made. This worked on single server installs because we don't do a ping so NSS would never be pre-initialized. If multiple servers are available we call ping() to find one that is up before submitting the request, this is what would have pre-initialized NSS. This was tripping up request-cert because it will intialize NSS with no DB if it hasn't been initialized. We need to initialize it to validate the CSR. A non-working client was doing this when calling cert-request: - call load_certificate_request() - nss.nss_nodb_init() - load the CSR - create a connection, dbdir=/etc/pki/nssdb - the dbdir matches within the same connection, don't call nss_shutdown() - connect to remote server - fail, untrusted CA because we are still using db from nss_nodb_init. Instead if we set dbdir afterward then this will properly be shutdown and NSS re-initialized with correct dbdir. https://fedorahosted.org/freeipa/ticket/2498
This commit is contained in:
parent
0425d09fac
commit
17ba58aa4b
@ -229,7 +229,8 @@ class SSLTransport(LanguageAwareTransport):
|
||||
continue
|
||||
if not isinstance(value.conn._ServerProxy__transport, SSLTransport):
|
||||
continue
|
||||
if value.conn._ServerProxy__transport.dbdir == dbdir:
|
||||
if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \
|
||||
value.conn._ServerProxy__transport.dbdir == dbdir:
|
||||
return True
|
||||
return False
|
||||
|
||||
@ -241,13 +242,14 @@ class SSLTransport(LanguageAwareTransport):
|
||||
# If we an existing connection exists using the same NSS database
|
||||
# there is no need to re-initialize. Pass thsi into the NSS
|
||||
# connection creator.
|
||||
self.dbdir='/etc/pki/nssdb'
|
||||
no_init = self.__nss_initialized(self.dbdir)
|
||||
dbdir = '/etc/pki/nssdb'
|
||||
no_init = self.__nss_initialized(dbdir)
|
||||
(major, minor, micro, releaselevel, serial) = sys.version_info
|
||||
if major == 2 and minor < 7:
|
||||
conn = NSSHTTPS(host, 443, dbdir=self.dbdir, no_init=no_init)
|
||||
conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
|
||||
else:
|
||||
conn = NSSConnection(host, 443, dbdir=self.dbdir, no_init=no_init)
|
||||
conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init)
|
||||
self.dbdir=dbdir
|
||||
conn.connect()
|
||||
return conn
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user