[Bug 1945774] Re: openssl: breaks ssl-cert installation: 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom

Weii Wang 1945774 at bugs.launchpad.net
Mon Nov 25 18:59:29 UTC 2024 

Continually refines the patch based on suggestions from athos-ribeiro:  
  * Updates the Launchpad bug format  
  * Removes redundant DEP3 headers

** Patch added: "libapache2-mod-auth-mellon_0.18.0-1ubuntu1.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1945774/+attachment/5840307/+files/libapache2-mod-auth-mellon_0.18.0-1ubuntu1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1945774

Title:
  openssl: breaks ssl-cert installation:
  8022CB35777F0000:error:1200007A:random number
  generator:RAND_write_file:Not a regular
  file:../crypto/rand/randfile.c:190:Filename=/dev/urandom

Status in mod_auth_mellon:
  Fix Released
Status in hplip package in Ubuntu:
  Fix Released
Status in libapache2-mod-auth-mellon package in Ubuntu:
  Fix Released
Status in ssl-cert package in Ubuntu:
  Fix Released
Status in hplip source package in Jammy:
  Fix Released
Status in libapache2-mod-auth-mellon source package in Jammy:
  Triaged
Status in ssl-cert source package in Jammy:
  Fix Released
Status in ssl-cert package in Debian:
  Fix Released

Bug description:
  [ Impact ]

  The upgrade to OpenSSL 3 results in the failure of the
  mellon_create_metadata helper script to generate the initial SP metadata
  files required by apache mod_auth_mellon. Since ubuntu jammy uses
  OpenSSL 3, this fix is essential to restore the functionality of
  mellon_create_metadata. The issue arises because OpenSSL 3 no longer
  supports using device files, such as /dev/urandom, as RANDFILE input,
  which mellon_create_metadata depends on to generate SAML service
  provider metadata, including a public key pair and configuration
  XML file.

  [ Test Plan ]

  Run the following command:
      mellon_create_metadata urn:example https://example.org/mellon

  Only two files, urn_example.cert and urn_example.key will be
  created in the current working directory. The expected output should
  include a third file, urn_example.xml. Note that there are no
  error messages indicating a problem, as stderr is suppressed in the
  script.

  To test the generated metadata and the mod_auth_mellon module, you will
  need apache installed. First create a directory /etc/apache2/saml2 and
  move the three files generated in the previous step into this directory.

  Next, download the metadata for a test IdP and save it in the same
  directory using the following command:
      curl https://login.ubuntu.com/saml/metadata -Lo \
          /etc/apache2/saml2/idp_metadata.xml

  Enable auth_mellon module (a2enmod auth_mellon) and create a test apache
  configuration with the following content:

      <Location / >
          MellonEnable info
          MellonEndpointPath /mellon/
          MellonSPMetadataFile /etc/apache2/saml2/urn_example.xml
          MellonSPPrivateKeyFile /etc/apache2/saml2/urn_example.key
          MellonSPCertFile /etc/apache2/saml2/urn_example.cert
          MellonIdPMetadataFile /etc/apache2/saml2/idp_metadata.xml
      </Location>

  Restart apache and test the mellon login endpoint, and This should
  redirect you to the correct IdP login page with a SAML request,
  confirming that the metadata and the auth_mellon module are working
  correctly.

      curl -v '127.1/mellon/login?ReturnTo=http%3A%2F%2F127.0.0.1%2F&IdP=https%3A%2F%2Flogin.ubuntu.com'
      ...
      Location: https://login.ubuntu.com/saml/?SAMLRequest=hZJN...
      ...

  [ Where problems could occur ]

  The upstream changes involve writing 256 bytes from /dev/urandom to
  a temporary file, which is then used as input for OpenSSL RANDFILE.
  While these changes are unlikely to cause significant regressions,
  there is a hypothetical issue where, in rare cases, the OpenSSL command
  might fail due to unrelated reasons. In such scenarios, the updated
  script could leave behind two residual temporary files instead of the
  single file left by the current version. However, since these files
  are small and typically cleaned up regularly by the system, this
  behavior should not negatively impact the user.

  [ Other Info ]

  Upstream fix: https://github.com/latchset/mod_auth_mellon/issues/105

To manage notifications about this bug go to:
https://bugs.launchpad.net/mod-auth-mellon/+bug/1945774/+subscriptions

More information about the Ubuntu-sponsors mailing list