[Bug 1945774] [NEW] openssl: breaks ssl-cert installation: 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom

Launchpad Bug Tracker 1945774 at bugs.launchpad.net
Mon Nov 18 17:17:58 UTC 2024 

You have been subscribed to a public bug by Weii Wang (weii-wang):

[ Impact ]

The upgrade to OpenSSL 3 results in the failure of the
mellon_create_metadata helper script to generate the initial SP metadata
files required by apache mod_auth_mellon. Since ubuntu jammy uses
OpenSSL 3, this fix is essential to restore the functionality of
mellon_create_metadata. The issue arises because OpenSSL 3 no longer
supports using device files, such as /dev/urandom, as RANDFILE input,
which mellon_create_metadata depends on to generate SAML service
provider metadata, including a public key pair and configuration
XML file.

[ Test Plan ]

Run the following command:
    mellon_create_metadata urn:example https://example.org/mellon

Only two files, urn_example.cert and urn_example.key will be
created in the current working directory. The expected output should
include a third file, urn_example.xml. Note that there are no
error messages indicating a problem, as stderr is suppressed in the
script.

To test the generated metadata and the mod_auth_mellon module, you will
need apache installed. First create a directory /etc/apache2/saml2 and
move the three files generated in the previous step into this directory.

Next, download the metadata for a test IdP and save it in the same
directory using the following command:
    curl https://login.ubuntu.com/saml/metadata -Lo \
        /etc/apache2/saml2/idp_metadata.xml

Enable auth_mellon module (a2enmod auth_mellon) and create a test apache
configuration with the following content:

    <Location / >
        MellonEnable info
        MellonEndpointPath /mellon/
        MellonSPMetadataFile /etc/apache2/saml2/urn_example.xml
        MellonSPPrivateKeyFile /etc/apache2/saml2/urn_example.key
        MellonSPCertFile /etc/apache2/saml2/urn_example.cert
        MellonIdPMetadataFile /etc/apache2/saml2/idp_metadata.xml
    </Location>

Restart apache and test the mellon login endpoint, and This should
redirect you to the correct IdP login page with a SAML request,
confirming that the metadata and the auth_mellon module are working
correctly.

    curl -v '127.1/mellon/login?ReturnTo=http%3A%2F%2F127.0.0.1%2F&IdP=https%3A%2F%2Flogin.ubuntu.com'
    ...
    Location: https://login.ubuntu.com/saml/?SAMLRequest=hZJN...
    ...

[ Where problems could occur ]

The upstream changes involve writing 256 bytes from /dev/urandom to
a temporary file, which is then used as input for OpenSSL RANDFILE.
While these changes are unlikely to cause significant regressions,
there is a hypothetical issue where, in rare cases, the OpenSSL command
might fail due to unrelated reasons. In such scenarios, the updated
script could leave behind two residual temporary files instead of the
single file left by the current version. However, since these files
are small and typically cleaned up regularly by the system, this
behavior should not negatively impact the user.

[ Other Info ]

Upstream fix: https://github.com/latchset/mod_auth_mellon/issues/105

** Affects: mod-auth-mellon
     Importance: Unknown
         Status: Fix Released

** Affects: hplip (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: libapache2-mod-auth-mellon (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: ssl-cert (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: hplip (Ubuntu Jammy)
     Importance: Undecided
         Status: Fix Released

** Affects: libapache2-mod-auth-mellon (Ubuntu Jammy)
     Importance: Undecided
         Status: Triaged

** Affects: ssl-cert (Ubuntu Jammy)
     Importance: Undecided
         Status: Fix Released

** Affects: ssl-cert (Debian)
     Importance: Unknown
         Status: Fix Released


** Tags: bitesize transition-openssl3-jj
-- 
openssl: breaks ssl-cert installation: 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
https://bugs.launchpad.net/bugs/1945774
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list