Bug 1135144
| Summary: | "Empty reply from server"/httpd segfault when trying to consume content | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Michael Hrivnak <mhrivnak> | ||||
| Component: | rpm-support | Assignee: | Randy Barlow <rbarlow> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 2.4.1 | CC: | bbuckingham, cduryee, cwelton, jortel, katello-qa-list, mmccune, pthomas, rbarlow | ||||
| Target Milestone: | --- | Keywords: | Triaged | ||||
| Target Release: | 2.4.1 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | 1135127 | ||||||
| : | 1142289 (view as bug list) | Environment: | |||||
| Last Closed: | 2014-09-23 17:54:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1135127 | ||||||
| Bug Blocks: | 1142289 | ||||||
| Attachments: |
|
||||||
|
Comment 1
Michael Hrivnak
2014-08-29 00:25:20 UTC
Back to assigned for permanent fix. Created attachment 932515 [details]
use mod_ssl for entitlement cert validation
This patch enables mod_ssl enforcement of client certificate CA verification. It assumes you want to use the CA installed by katello, so modify that path to enforce with some other CA.
https://github.com/pulp/pulp/pull/1152 https://github.com/pulp/pulp_rpm/pull/558 In order to verify the latest changes to this bug, there are four test cases to run: 1) Case #1 tests what will happen for users who upgrade and don't do anything. For them, there won't be a verify_ssl setting in /etc/pulp/repo_auth.conf, so make sure that isn't defined there. In this case, Pulp should assume you still want to do per-repo authorization. Test this case like you normally would for repo auth. It should succeed with valid entitlement certs and it should fail with invalid ones. 2) Case #2 tests what happens for users who explicitly set verify_ssl to true. The rest of this test case should work just like #1. 3) Case #3 tests what happens for users who set verify_ssl to false, but do not configure Apache to do the validation. In this case, all certificates that have the correct OIDs (the OIDs are still checked even when verify_ssl is false) should be allowed access, even if they are not signed by a valid CA. Make sure that certificates signed by invalid CAs are allowed access, as well as certificates that have valid CA signatures. Also, make sure that all certificates that don't have the correct OIDs for the given repos are still denied (this is very important!). 4) Case #4 tests what happens for users who set verify_ssl to false and also configure Apache to require validly signed certificates. This should again work just like Case #1, but Apache will be enforcing the signature checks instead of Pulp. Make sure the right certs are allowed and rejected, both due to signatures and due to correct/incorrect OIDs. Note that the CA still needs to be uploaded to the repo in order to configure repo_auth for it, otherwise Pulp will not check the OIDs. Please also verify the docs changes that went into the two pull requests. Fixed in pulp-2.4.1-0.8.beta. verified with different scenarios [root@qe-blade-13 ~]# rpm -qa pulp-server pulp-server-2.4.1-0.8.beta.el6.noarch [root@qe-blade-13 ~]# This is fixed in Pulp-2.4.1-1. |