[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= Re: tips for debugging smartcard authentication failures in sssd?
From:       James Ralston <ralston () pobox ! com>
Date:       2021-07-19 1:59:49
Message-ID: CAEkxbZsFzmvgPi_+HoMipM1G7bcTZohzWY73Dndt9quWTU1N2Q () mail ! gmail ! com
[Download RAW message or body]

On Thu, Jul 15, 2021 at 9:37 AM Arthur Scott Poore
<spoore@fedoraproject.org> wrote:

We managed to figure it out before I saw your reply, but you were on
the right track:

> One other question related to being air-gapped, do the certificates
> on the cards have OCSP/CRL info/urls set?  If so, SSSD may be trying
> to check that if not disabled.

We tracked the problem down to do_verification() in
src/p11_child/p11_child_nss.c.  The call to
CERT_VerifyCertificateNow() was returning -8102
(SEC_ERROR_INADEQUATE_KEY_USAGE; "Certificate key usage inadequate for
attempted operation").

On a hunch, we set certificate_verification = no_ocsp, and the
problems went away.

<rant>

NSS throwing SEC_ERROR_INADEQUATE_KEY_USAGE when it can't reach an
OCSP server is the most unhelpful thing in the history of unhelpful
things.  This error message suggests that it is some quality of the
certificate itself (KU, EKU, encryption algorithm, key signing
algorithm, whatever) that NSS objects to.

I could understand that if NSS didn't have any OCSP-related error
codes.  But it has literally 19 of them (1):

    SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
    SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
    SEC_ERROR_OCSP_MALFORMED_REQUEST
    SEC_ERROR_OCSP_SERVER_ERROR
    SEC_ERROR_OCSP_TRY_SERVER_LATER
    SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
    SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
    SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
    SEC_ERROR_OCSP_UNKNOWN_CERT
    SEC_ERROR_OCSP_NOT_ENABLED
    SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER
    SEC_ERROR_OCSP_MALFORMED_RESPONSE
    SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
    SEC_ERROR_OCSP_FUTURE_RESPONSE
    SEC_ERROR_OCSP_OLD_RESPONSE
    SEC_ERROR_OCSP_INVALID_SIGNING_CERT
    SEC_ERROR_REVOKED_CERTIFICATE_OCSP
    SEC_ERROR_OCSP_RESPONDER_CERT_INVALID
    SEC_ERROR_OCSP_BAD_SIGNATURE

But apparently, no one thought that *this* error code might actually
be useful:

    SEC_ERROR_OCSP_SERVER_UNREACHABLE

Gah.

If we hadn't already suspected something external (the problems were
intermittent, even though nothing had changed on the hosts), who knows
how far into the weeds SEC_ERROR_INADEQUATE_KEY_USAGE would have taken
us.

I'm glad that for RHEL8, sssd moved from NSS to OpenSSL, because to
paraphrase Theo de Raadt: OpenSSL might suck, but everything else
sucks far more.

</rant>

Anyway, thanks for your reply.  Hopefully this thread (especially your
suggestions) will be useful to others who encounter mysterious
certificate verification issues.

(1) https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/sslerr
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[prev in list] [next in list] [prev in thread] [next in thread]