Don't set dbdir in the connection until after the connection is created.

We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.

This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.

This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.

A non-working client was doing this when calling cert-request:
 - call load_certificate_request()
 - nss.nss_nodb_init()
 - load the CSR
 - create a connection, dbdir=/etc/pki/nssdb
 - the dbdir matches within the same connection, don't call nss_shutdown()
 - connect to remote server
 - fail, untrusted CA because we are still using db from nss_nodb_init.

Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.

https://fedorahosted.org/freeipa/ticket/2498
This commit is contained in:
Rob Crittenden 2012-03-07 16:36:52 -05:00
parent 0425d09fac
commit 17ba58aa4b

View File

@ -229,7 +229,8 @@ class SSLTransport(LanguageAwareTransport):
continue
if not isinstance(value.conn._ServerProxy__transport, SSLTransport):
continue
if value.conn._ServerProxy__transport.dbdir == dbdir:
if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \
value.conn._ServerProxy__transport.dbdir == dbdir:
return True
return False
@ -241,13 +242,14 @@ class SSLTransport(LanguageAwareTransport):
# If we an existing connection exists using the same NSS database
# there is no need to re-initialize. Pass thsi into the NSS
# connection creator.
self.dbdir='/etc/pki/nssdb'
no_init = self.__nss_initialized(self.dbdir)
dbdir = '/etc/pki/nssdb'
no_init = self.__nss_initialized(dbdir)
(major, minor, micro, releaselevel, serial) = sys.version_info
if major == 2 and minor < 7:
conn = NSSHTTPS(host, 443, dbdir=self.dbdir, no_init=no_init)
conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
else:
conn = NSSConnection(host, 443, dbdir=self.dbdir, no_init=no_init)
conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init)
self.dbdir=dbdir
conn.connect()
return conn