Public bug reported:
[ Impact ]
The upgrade to OpenSSL 3 results in the failure of the
mellon_create_metadata helper script to generate the initial SP metadata
files required by apache mod_auth_mellon. Since ubuntu jammy uses
OpenSSL 3, this fix is essential to restore the functionality of
mellon_create_metadata. The issue arises because OpenSSL 3 no longer
supports using device files, such as /dev/urandom, as RANDFILE input,
which mellon_create_metadata depends on to generate SAML service
provider metadata, including a public key pair and configuration
XML file.
[ Test Plan ]
Run the following command:
mellon_create_metadata urn:someservice https://sp.example.org/mellon
Only two files, urn_someservice.cert and urn_someservice.key will be
created in the current working directory. The expected output should
include a third file, urn_someservice.xml. Note that there are no
error messages indicating a problem, as stderr is suppressed in the
script.
[ Where problems could occur ]
The upstream changes involve writing 256 bytes from /dev/urandom to
a temporary file, which is then used as input for OpenSSL RANDFILE.
While these changes are unlikely to cause significant regressions,
there is a hypothetical issue where, in rare cases, the OpenSSL command
might fail due to unrelated reasons. In such scenarios, the updated
script could leave behind two residual temporary files instead of the
single file left by the current version. However, since these files
are small and typically cleaned up regularly by the system, this
behavior should not negatively impact the user.
[ Other Info ]
Upstream fix: https://github.com/latchset/mod_auth_mellon/issues/105
Fixes: LP: #1945774, LP: #2052795
** Affects: libapache2-mod-auth-mellon (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2081763
Title:
[SRU] mellon_create_metadata is incompatible with OpenSSL 3 in jammy
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/+bug/2081763/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
