Bug 1378797
| Summary: | Web UI must check OCSP and CRL during smartcard login | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Roshni <rpattath> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | pvoborni, pvomacka, rcritten, spoore, tkrizek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.0-12.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 09:42:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Roshni
2016-09-23 09:44:36 UTC
triage notes:
mod_nss config needs to be changed -> IPA issue
NSSOCSP on
for CRL, a list needs to be loaded to NSS db and updated regularly(mod_revocator might help).
OCSP might be therefore preferred but it might have some performance impact which needs to be tested.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6370 Changing into a bug which must be fixed with introduction of certificate mapping authentication (introduced FreeIPA 4.5). Without it, user would be able to authenticate with expired or revoked certificate. Fixed upstream master: https://pagure.io/freeipa/c/e0b32dac5462164869ab19c3d56c36e80cde4b7b ipa-4-5: https://pagure.io/freeipa/c/4aa7e70fcd1851394f943da669d6af4e11b60940 Verified. Version :: ipa-server-4.5.0-13.el7.x86_64 Results :: Tested with Firefox and user was unable to use revoked cert. Also, tested with curl: [root@dhcp129-184 nssdb]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:password" 'https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc1' * About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0) * Trying IPA_SERVER_IP... * Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IP) port 443 (#0) * Initializing NSS with certpath: sql:/tmp/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST * start date: Mar 31 21:17:28 2017 GMT * expire date: Apr 01 21:17:28 2019 GMT * common name: auto-hv-02-guest08.testrelm.test * issuer: CN=Certificate Authority,O=TESTRELM.TEST > GET /ipa/session/login_x509?username=demosc1 HTTP/1.1 > User-Agent: curl/7.29.0 > Host: auto-hv-02-guest08.testrelm.test > Accept: */* > * skipping SSL peer certificate verification * NSS: using client certificate: demosc1 (OpenSC Card):Certificate * subject: CN=demosc1,O=TESTRELM.TEST * start date: May 05 18:56:31 2017 GMT * expire date: May 06 18:56:31 2019 GMT * common name: demosc1 * issuer: CN=Certificate Authority,O=TESTRELM.TEST * SSL read: errno -12270 (SSL_ERROR_REVOKED_CERT_ALERT) * SSL peer rejected your certificate as revoked. * Closing connection 0 curl: (58) SSL peer rejected your certificate as revoked. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |