Bug 1003326

Summary: CVE-2013-7450: All users who install pulp-server will have the same CA certificate and key that is in our public code repository
Product: [Retired] Pulp Reporter: Randy Barlow <rbarlow>
Component: rel-engAssignee: Jeff Ortel <jortel>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: urgent Docs Contact:
Priority: low    
Version: MasterCC: bcourt, jortel, skarmark
Target Milestone: ---Keywords: Triaged
Target Release: 2.3.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-09 14:31:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Randy Barlow 2013-09-01 22:07:24 UTC 
I learned during our refactor this weekend that we have ca.{crt,key} files in our git repository that our RPM packages and installs on every Pulp installation. This is very bad.

To make matters worse, there is only a tiny paragraph in our docs that mention quite casually that you should make your own SSL certificates. This is putting our users at risk, particularly ones who don't know the full depths of our use of CA certificates. This is particularly bad due to the understated nature of the documentation telling users that they can change the CA if they want to.

A very easy solution would be to have the %post% section of our spec file autogenerate a new CA certificate and key when the package is installed. This has the benefit of still making it easy to install Pulp for newcomers, while also not putting those users at risk to man in the middle attacks. It's still exactly the same effort for the user to install their own CA, if they wish.
Comment 1 Jeff Ortel 2013-09-19 23:07:40 UTC 
https://github.com/pulp/pulp/pull/627
Comment 2 Jeff Ortel 2013-09-26 15:36:36 UTC 
build: 2.3.0-0.15.alpha
Comment 3 Preethi Thomas 2013-09-30 12:54:50 UTC 
verified
[root@pulp-v2-server ~]# rpm -qa pulp-server
pulp-server-2.3.0-0.16.alpha.el6.noarch
[root@pulp-v2-server ~]# 

[root@pulp-v2-server ~]# ls -l /etc/pki/pulp/
total 20
-rw-r-----. 1 root   apache 1082 Sep 27 08:33 ca.crt
-rw-r-----. 1 root   apache 1675 Sep 27 08:33 ca.key
drwxr-xr-x. 2 apache apache 4096 Sep 26 16:44 content
drwxr-xr-x. 2 root   root   4096 Sep 27 09:52 nodes
drwxr-xr-x. 3 root   root   4096 Sep 19 15:03 qpid
[root@pulp-v2-server ~]#
Comment 4 Preethi Thomas 2013-12-09 14:31:29 UTC 
Pulp 2.3 released.