Bug 1241089
Summary: | RFE: add ability to lookup user based on certificate | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora <jpazdziora> |
Component: | mod_lookup_identity | Assignee: | Jan Pazdziora <jpazdziora> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | CC: | enewland, jpazdziora, ksiddiqu, mnavrati, spoore |
Target Milestone: | rc | Keywords: | FutureFeature, Rebase |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | mod_lookup_identity-0.9.3-1.el7 | Doc Type: | Rebase: Enhancements Only |
Doc Text: |
The mod_lookup_identity packages have been upgraded to upstream version 0.9.3, which provides the ability to look up a user based on a certificate.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 14:47:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1202724 | ||
Bug Blocks: | 1127787, 1169972, 1181710 |
Description
Jan Pazdziora
2015-07-08 12:17:13 UTC
Upstream ticket https://fedorahosted.org/webauthinfra/ticket/5. Rebased to 0.9.3. Build mod_lookup_identity-0.9.3-1.el7. The typical configuration would be SSLVerifyClient require SSLUserName SSL_CLIENT_CERT LookupUserByCertificate On which causes the certificate to be put to r->user, and then used by mod_lookup_identity as input for org.freedesktop.sssd.infopipe.Users.FindByCertificate call when LookupUserByCertificate On is enabled. Verified. Version :: mod_lookup_identity-0.9.3-1.el7.x86_64 Results :: blade01 is client and httpd server blade05 is IPA master ############### ON WEB server ############### [root@blade01 conf.d]# vi /etc/httpd/conf.d/ssl.conf ...change this... SSLCertificateFile /etc/pki/tls/certs/server.pem SSLCertificateKeyFile /etc/pki/tls/private/server.key SSLCACertificateFile /etc/ipa/ca.crt ... [root@blade01 conf.d]# ipa service-add HTTP/$(hostname) --force ipa: ERROR: service with name "HTTP/blade01.my.fqdn.test" already exists [root@blade01 conf.d]# ipa-getcert request -f /etc/pki/tls/certs/server.pem \ > -k /etc/pki/tls/private/server.key \ > -K HTTP/$(hostname) New signing request "20150921211340" added. [root@blade01 conf.d]# cat /var/www/app.cgi #!/usr/bin/perl # Copyright 2014 Jan Pazdziora # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. use strict; use warnings FATAL => 'all'; use CGI (); my $LOGIN = '/login'; my $LOGOUT = '/logout'; my $AUTH_COOKIE = 'the-test-cookie'; my $q = new CGI; my $cookie = $q->cookie($AUTH_COOKIE); my ($user, $name); if ($cookie and $cookie =~ /^ok:(.+)$/) { $user = $1; $name = CGI::escapeHTML($user); } my @nav; print "Content-Type: text/html; charset=UTF-8\n"; print "Pragma: no-cache\n"; my $title = "Application"; my $body = "This is a test application; public view, not much to see."; if (defined $user) { $title .= " authenticated ($name)"; $body = "Test application; logged in as user $name." . " There is much more content for authenticated users." x 10; } sub logout { print "Set-Cookie: $AUTH_COOKIE=xx; path=$ENV{SCRIPT_NAME}\n"; print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n"; $title = "Logged out"; $body = 'Successfully logged out. You will be redirected to the ' . qq!<a href="$ENV{SCRIPT_NAME}">home page</a>!; } sub login { if (defined $user) { print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n"; $title = "Already logged in"; $body = "You are already logged in as user $name.\n"; return; } $title = "Log in to application"; my $login = $q->param('login'); my $password = $q->param('password'); my $error = ''; if (defined $ENV{REMOTE_USER}) { $login = $ENV{REMOTE_USER}; if (defined $ENV{REMOTE_USER_EMAIL}) { $login .= ": $ENV{REMOTE_USER_EMAIL}"; } my $n = join ' ', grep defined $_, map $ENV{$_}, 'REMOTE_USER_FIRSTNAME', 'REMOTE_USER_LASTNAME'; if ($n ne '') { $login = "$n ($login)"; } } elsif (defined $login) { my $re = qr/^[-a-zA-Z0-9_.]+$/; if ($login eq '' or not $login =~ $re) { $error = '<p>Login has to be nonempty, full characters</p>'; } elsif (not defined $password or not $password =~ $re) { $error = '<p>Password has to be nonempty</p>'; } elsif ($password ne reverse($login)) { $error = '<p>Password has to be reverse login</p>'; } } if (defined $login and $error eq '') { print "Set-Cookie: $AUTH_COOKIE=ok:$login; path=$ENV{SCRIPT_NAME}\n"; print "Refresh: 3; URL=$ENV{SCRIPT_NAME}\n"; $title = 'Logged in as ' . CGI::escapeHTML($login); $body = 'You will be redirected to the ' . qq!<a href="$ENV{SCRIPT_NAME}">home page</a>!; return; } no warnings 'uninitialized'; $body = <<"EOS"; $error <form method="POST"> <dl> <dt>Login:</dt> <dd><input type="text" name="login" value="@{[ CGI::escapeHTML($login) ]}" /> <dt>Password:</dt> <dd><input type="password" name="password" /> <dt><input type="submit" name="go" value="Log in" /></dt> </dl> </form> EOS } if (defined $ENV{PATH_INFO}) { if (substr($ENV{PATH_INFO}, 0, length($LOGIN)) eq $LOGIN) { login(); push @nav, qq!<a href="$ENV{SCRIPT_NAME}">Back to application</a>!; } elsif ($ENV{PATH_INFO} eq $LOGOUT) { logout(); push @nav, qq!<a href="$ENV{SCRIPT_NAME}">Back to application</a>!; } } if (not @nav) { push @nav, (defined $user ? qq!<a href="$ENV{SCRIPT_NAME}$LOGOUT">Log out</a>! : qq!<a href="$ENV{SCRIPT_NAME}$LOGIN">Log in</a>!); } print <<"EOS"; <html> <head> <title>$title</title> </head> <body> <h1>$title</h1> <p>$body</p> <hr/> <p>@nav</p> <!-- <hr/> <pre>@{[ join "\n", map CGI::escapeHTML("$_=$ENV{$_}"), sort keys %ENV ]} </pre> --> </body> </html> EOS [root@blade01 conf.d]# cat app.conf ScriptAlias /application /var/www/app.cgi [root@blade01 conf.d]# cat wikiapp_lookup.conf LoadModule lookup_identity_module modules/mod_lookup_identity.so <LocationMatch ^/application/login> SSLVerifyClient require SSLUserName SSL_CLIENT_CERT LookupUserByCertificate On LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr firstname REMOTE_USER_FIRSTNAME LookupUserAttr lastname REMOTE_USER_LASTNAME LookupUserGroups REMOTE_USER_GROUPS ":" LookupUserGroupsIter REMOTE_USER_GROUPS LookupUserGroups REMOTE_USER_GROUPS ":" LookupUserGroupsIter REMOTE_USER_GROUPS </LocationMatch> [root@blade01 conf.d]# rpm -qa|egrep -i "mod_nss|mod_ssl" mod_ssl-2.4.6-40.el7.x86_64 [root@blade01 conf.d]# service httpd restart Redirecting to /bin/systemctl restart httpd.service ################### ON IPA MASTER ################################### [root@blade05 ~]# ipa group-add webgroup1 ----------------------- Added group "webgroup1" ----------------------- Group name: webgroup1 GID: 1690400006 [root@blade05 ~]# ipa group-add-member webgroup1 --users=bob20669 Group name: webgroup1 GID: 1690400006 Member users: bob20669 ------------------------- Number of members added 1 ------------------------- [root@blade05 ~]# ipa certprofile-show caIPAserviceCert --out=caIPAuserCert.txt -------------------------------------------------------- Profile configuration stored in file 'caIPAuserCert.txt' -------------------------------------------------------- Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE [root@blade05 ~]# sed -i '/^profileId=.*$/d' caIPAuserCert.txt [root@blade05 ~]# sed -i 's/^desc=.*$/desc=caIPAuserCert test profile/' caIPAuserCert.txt [root@blade05 ~]# ipa certprofile-import caIPAuserCert --file=caIPAuserCert.txt --store=True Profile description: caIPAuserCert test profile -------------------------------- Imported profile "caIPAuserCert" -------------------------------- Profile ID: caIPAuserCert Profile description: caIPAuserCert test profile Store issued certificates: TRUE [root@blade05 ~]# ipa caacl-add caacl_open --profilecat=all --usercat=all --hostcat=all --servicecat=all ------------------------- Added CA ACL "caacl_open" ------------------------- ACL name: caacl_open Enabled: TRUE Profile category: all User category: all Host category: all Service category: all [root@blade05 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=bob20669' Generating a 2048 bit RSA private key ........................+++ ...+++ writing new private key to 'private.key' ----- [root@blade05 ~]# ipa cert-request cert.csr --principal=bob20669 --profile-id=caIPAuserCert Certificate: MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsF... /pXVmNx2Q2uu8ypcC9ZzuykVIy38RY6SETr5yPmkBM0NL5TeNVNdy9+06FmL/0QDVisfW5sNncxzfIO0LOQJp6gyMAXc2bGeeLlk2SR8aKPtyz5kNFKYUWaA4F2ZeAPsb0zU9JIu237FCgxU7L3c9fp0ZXPE1NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBFtfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN Subject: CN=bob20669,O=EXAMPLE.TEST Issuer: CN=Certificate Authority,O=EXAMPLE.TEST Not Before: Mon Sep 21 21:18:04 2015 UTC Not After: Thu Sep 21 21:18:04 2017 UTC Fingerprint (MD5): a7:15:be:7d:81:0b:f2:0a:6b:23:4b:7f:d2:28:61:8c Fingerprint (SHA1): 04:32:33:ee:ff:f6:0d:c4:2c:b1:c8:49:13:13:fa:e6:73:2a:55:f9 Serial number: 12 Serial number (hex): 0xC [root@blade05 ~]# ipa cert-show 0xc --out=bob20669.pem Certificate: MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFN UExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5 ... NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBF tfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN Subject: CN=bob20669,O=EXAMPLE.TEST Issuer: CN=Certificate Authority,O=EXAMPLE.TEST Not Before: Mon Sep 21 21:18:04 2015 UTC Not After: Thu Sep 21 21:18:04 2017 UTC Fingerprint (MD5): a7:15:be:7d:81:0b:f2:0a:6b:23:4b:7f:d2:28:61:8c Fingerprint (SHA1): 04:32:33:ee:ff:f6:0d:c4:2c:b1:c8:49:13:13:fa:e6:73:2a:55:f9 Serial number (hex): 0xC Serial number: 12 ######################################################### ######################################################### ### First Test with successful connection with Certificate ######################################################### ######################################################### [root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login Mon Sep 21 17:20:46 EDT 2015 HTTP/1.1 200 OK Date: Mon, 21 Sep 2015 21:20:46 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.idm.lab.eng.rdu2.redhat.com HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=41828 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.idm.lab.eng.rdu2.redhat.com SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0C SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=bob20669 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.idm.lab.eng.rdu2.redhat.com,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.idm.lab.eng.rdu2.redhat.com SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=5d49e1790cb9321285407e1a7ec8e4fdfa6cf9bbdfec3535db44ae16f1bdd694 SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.idm.lab.eng.rdu2.redhat.com SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgB0rpG6VuU-xTTBlMmiIwAAAAE </pre> --> </body> </html> [root@blade01 conf.d]# cat /var/log/httpd/ssl_access_log 2620:52:0:83c:21a:64ff:fe33:ff02 - bob20669 [21/Sep/2015:17:20:46 -0400] "GET /application/login HTTP/1.1" 200 2866 ######################################################### ######################################################### ### Second Test without resetting httpd ######################################################### ######################################################### [root@blade05 ~]# ipa user-remove-cert bob20669 --certificate="MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjEyMTE4MDRaFw0xNzA5MjEyMTE4MDRaMCoxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDERMA8GA1UEAwwIYm9iMjA2NjkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEsRZW2sEvczwkF5LJ5f/3QyQFzxMYz2shUCDvzYXvSRQdosSAIcpI65tTzxvhBKn8+zslL2+IULb4ZvhycrhIoAjOKammZLiYYIpyjgkatmNu9V9UKwWsKxAgg75338ZnVGq9RrjwOtVwHhZ7oGvk0O3+k09iTsmXP8cP2QQQEh1XaNxhqB+WO2XbLLV9lefFJlZl3DQdERPQ6/M8aBKwnMuoJwFE+zFKaAda70wjmUiCCeJCIm0gpyEr71PX4eTP/b2nkANJT4LWNd8eeSuY0PL4o6FerEjoLmSLEL0/MNDY5mj1qNcqKVRC/q9mEIOvRQtFZSKexHLVjzoLa/J3AgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBQpLLhxktYerqlf4Sv2wTEeOoy+fzA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EuZXhhbXBsZS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLmV4YW1wbGUudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDSTSIzglpbODRtGBUW6w520IimgMA0GCSqGSIb3DQEBCwUAA4IBAQBn21OvjmAFw0RDX6y8oo80FuTgCJ2hKkKt2QAhpFtirM2kNSJG7+E//Dwbs4Tyg5CSBOPXsdFi2NkRTA4/pXVmNx2Q2uu8ypcC9ZzuykVIy38RY6SETr5yPmkBM0NL5TeNVNdy9+06FmL/0QDVisfW5sNncxzfIO0LOQJp6gyMAXc2bGeeLlk2SR8aKPtyz5kNFKYUWaA4F2ZeAPsb0zU9JIu237FCgxU7L3c9fp0ZXPE1NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBFtfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN" ----------------------------------------- Removed certificates from user "bob20669" ----------------------------------------- User login: bob20669 [root@blade05 ~]# ipa user-show User login: bob20669 User login: bob20669 First name: Robert Last name: Chase Home directory: /home/bob20669 Login shell: /bin/sh Email address: bob20669 UID: 1690400001 GID: 1690400001 Account disabled: False Password: True Member of groups: webgroup1 Member of HBAC rule: allow_wikiapp Kerberos keys available: True [root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login Mon Sep 21 17:23:24 EDT 2015 HTTP/1.1 200 OK Date: Mon, 21 Sep 2015 21:23:24 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.idm.lab.eng.rdu2.redhat.com HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=41838 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.idm.lab.eng.rdu2.redhat.com SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0C SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=bob20669 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.idm.lab.eng.rdu2.redhat.com,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.idm.lab.eng.rdu2.redhat.com SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=37a16ea0d534719ef8b20936bc117ad0beb7e9d5607604c305ef7214e4f35f1c SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.idm.lab.eng.rdu2.redhat.com SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgB1TAojq3yAqwqOWasdDQAAAAM </pre> --> </body> </html> ######################################################### ######################################################### ### Third Test after resetting httpd ######################################################### ######################################################### [root@blade01 conf.d]# systemctl restart httpd [root@blade05 ~]# date; curl --key ./private.key --cert ./bob20669.pem -i https://blade01.idm.lab.eng.rdu2.redhat.com:443/application/login Mon Sep 21 17:34:55 EDT 2015 HTTP/1.1 401 Unauthorized Date: Mon, 21 Sep 2015 21:34:55 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 WWW-Authenticate: Negotiate Content-Length: 127 Content-Type: text/html; charset=iso-8859-1 <html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html> [root@blade01 conf.d]# tail -1 /var/log/httpd/ssl_access_log 2620:52:0:83c:21a:64ff:fe33:ff02 - - [21/Sep/2015:17:34:55 -0400] "GET /application/login HTTP/1.1" 401 127 moving back to ON_QA while I cover a few more test cases ################################################################################ # Test 1: clean test using certificate user lookup ################################################################################ ipa user-add-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade05 ~]# ipa user-add-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:27:30 EDT 2015 HTTP/1.1 200 OK Date: Tue, 22 Sep 2015 15:27:30 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.my.scrubbed.domain.test HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=42417 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.my.scrubbed.domain.test SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0C SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=bob20669 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=32086bb5d36b75c2722cc8db3e9bfa35630acf309267b0d95525425afa8a2ef0 SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.my.scrubbed.domain.test SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgFzYvG3b1f9oOlfemcqmAAAAAM </pre> --> </body> </html> ################################################################################ # Test 2: cached test after removing cert from user ################################################################################ ipa user-remove-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade05 ~]# ipa user-remove-cert bob20669 --certificate="$(cat bob20669.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:27:44 EDT 2015 HTTP/1.1 200 OK Date: Tue, 22 Sep 2015 15:27:44 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.my.scrubbed.domain.test HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=42421 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.my.scrubbed.domain.test SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0C SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=bob20669,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=bob20669 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 21 21:18:04 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 21 21:18:04 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=ed2d95e96b1ab4e5d1c5d01cc19fed1b2f34242f131a1c1c2687f6de60bcb889 SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.my.scrubbed.domain.test SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgFzcCbtg6tovgxkbPgRMQAAAAQ </pre> --> </body> </html> ################################################################################ # Test 3: failure test after clearing sssd cache ################################################################################ On Client: sss_cache -E -- getent passwd bob20669 On Master: date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade01 ~]# sss_cache -E -- [root@blade01 ~]# getent passwd bob20669 bob20669:*:1690400001:1690400001:Robert Chase:/home/bob20669:/bin/sh [root@blade05 ~]# date; curl --key ./bob20669.key --cert ./bob20669.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:28:01 EDT 2015 HTTP/1.1 401 Unauthorized Date: Tue, 22 Sep 2015 15:28:01 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 WWW-Authenticate: Negotiate Content-Length: 127 Content-Type: text/html; charset=iso-8859-1 <html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>[root@blade05 ~]# ################################################################################ # Test 4: failure test with different user with cert ################################################################################ sss_cache -E -- ipa user-add-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade01 ~]# sss_cache -E -- [root@blade05 ~]# ipa user-add-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:29:47 EDT 2015 HTTP/1.1 403 Forbidden Date: Tue, 22 Sep 2015 15:29:47 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Content-Length: 219 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /application/login on this server.</p> </body></html> ################################################################################ # Test 5: failure test with good user with cert for different CN ################################################################################ make sure cache is clear by removing or doing getent passwd newuser1 On Master: ipa user-remove-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt On Client: sss_cache -E -- getent passwd newuser1 On Master: ipa user-add-cert bob20669 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login [root@blade05 ~]# ipa user-remove-cert newuser1 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# [root@blade01 ~]# sss_cache -E -- [root@blade01 ~]# getent passwd newuser1 newuser1:*:1690400007:1690400007:new test:/home/newuser1:/bin/sh [root@blade01 ~]# [root@blade05 ~]# ipa user-add-cert bob20669 --certificate="$(cat newuser.pem |grep -v -- '----' | tr -d '[\n\r]')" >> /tmp/output.txt [root@blade05 ~]# date; curl --key ./newuser.key --cert ./newuser.pem -i https://blade01.my.scrubbed.domain.test:443/application/login Tue Sep 22 11:31:30 EDT 2015 HTTP/1.1 200 OK Date: Tue, 22 Sep 2015 15:31:30 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob20669: bob20669); path=/application Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <html> <head> <title>Logged in as Robert Chase (bob20669: bob20669)</title> </head> <body> <h1>Logged in as Robert Chase (bob20669: bob20669)</h1> <p>You will be redirected to the <a href="/application">home page</a></p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=blade01.my.scrubbed.domain.test HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=2620:52:0:83c:21a:64ff:fe33:ff02 REMOTE_PORT=42433 REMOTE_USER=bob20669 REMOTE_USER_EMAIL=bob20669 REMOTE_USER_FIRSTNAME=Robert REMOTE_USER_GECOS=Robert Chase REMOTE_USER_GROUPS=webgroup1 REMOTE_USER_GROUPS_1=webgroup1 REMOTE_USER_GROUPS_N=1 REMOTE_USER_LASTNAME=Chase REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=2620:52:0:83c:21a:64ff:fe4e:9dc4 SERVER_ADMIN=root@localhost SERVER_NAME=blade01.my.scrubbed.domain.test SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_A_KEY=rsaEncryption SSL_CLIENT_A_SIG=sha256WithRSAEncryption SSL_CLIENT_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_CLIENT_I_DN_CN=Certificate Authority SSL_CLIENT_I_DN_O=EXAMPLE.TEST SSL_CLIENT_M_SERIAL=0D SSL_CLIENT_M_VERSION=3 SSL_CLIENT_S_DN=CN=newuser1,O=EXAMPLE.TEST SSL_CLIENT_S_DN_CN=newuser1 SSL_CLIENT_S_DN_O=EXAMPLE.TEST SSL_CLIENT_VERIFY=SUCCESS SSL_CLIENT_V_END=Sep 22 12:53:48 2017 GMT SSL_CLIENT_V_REMAIN=731 SSL_CLIENT_V_START=Sep 22 12:53:48 2015 GMT SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=true SSL_SERVER_A_KEY=rsaEncryption SSL_SERVER_A_SIG=sha256WithRSAEncryption SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.TEST SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.TEST SSL_SERVER_M_SERIAL=0B SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=blade01.my.scrubbed.domain.test,O=EXAMPLE.TEST SSL_SERVER_S_DN_CN=blade01.my.scrubbed.domain.test SSL_SERVER_S_DN_O=EXAMPLE.TEST SSL_SERVER_V_END=Sep 21 21:13:43 2017 GMT SSL_SERVER_V_START=Sep 21 21:13:43 2015 GMT SSL_SESSION_ID=1a39c6e56fb21c9412f29f8b4c73b03c15973975378b7c03ea6c36746dc161af SSL_SESSION_RESUMED=Initial SSL_TLS_SNI=blade01.my.scrubbed.domain.test SSL_VERSION_INTERFACE=mod_ssl/2.4.6 SSL_VERSION_LIBRARY=OpenSSL/1.0.1e-fips UNIQUE_ID=VgF0Uqjjs90oNxHj7O05ogAAAAA </pre> --> </body> </html> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-2451.html |