Bug 1393962

Summary: Using fence_vmware_soap with ssl_insecure=1 still leads to security warnings
Product: Red Hat Enterprise Linux 7 Reporter: Robert Scheck <redhat-bugzilla>
Component: fence-agentsAssignee: Marek Grac <mgrac>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.3CC: asatpute, cluster-maint, jruemker, mjuricek, oalbrigt, pisharma, robert.scheck, sbradley
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fence-agents-4.0.11-52.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 16:10:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1394959    

Description Robert Scheck 2016-11-10 17:36:16 UTC 
Description of problem:
When adding a STONITH device like this,

  pcs stonith create stonith_tux2 fence_vmware_soap ipaddr=192.0.2.70 \
  login=pacemaker passwd=TuxLovesFish ssl=1 ssl_insecure=1 \
  port=4229DFFE-1ADD-2967-15D6-72574A46EFD2 action=reboot \
  pcmk_host_list=tux2.example.net op monitor interval=60s

where I explicitly specify "ssl_insecure=1" as a parameter (like stated in
the man page of fence_vmware_soap(1)), then I do not want to be nagged every
monitor interval (aka every 60 seconds) in /var/log/messages like this:

Nov 10 18:30:12 tux1 stonith-ng[1224]: warning: fence_vmware_soap[7777] stderr: [ /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html ]
Nov 10 18:30:12 tux1 stonith-ng[1224]: warning: fence_vmware_soap[7777] stderr: [   InsecureRequestWarning) ]

I understand that the example above is insecure, but getting nagged is IMHO
absolutely fine when not having set "ssl_insecure=1" - but I do. Otherwise,
if you disagree about "ssl_insecure=1", please add a new option to silence
that as per choice of the administrator.

As per https://urllib3.readthedocs.org/en/latest/security.html these nagging
messages could be switched off or on program level, thus in the agent code.

Version-Release number of selected component (if applicable):
fence-agents-vmware-soap-4.0.11-47.el7.x86_64

How reproducible:
Everytime, see above.

Actual results:
Using fence_vmware_soap with ssl_insecure=1 still leads to security warnings.

Expected results:
No security warnings when ssl_insecure=1 is set for fence_vmware_soap.
Comment 1 Robert Scheck 2016-11-10 17:38:36 UTC 
Cross-filed case 01738103 on the Red Hat customer portal.
Comment 2 Marek Grac 2016-11-11 08:21:41 UTC 
I agree, we will fix it.
Comment 17 errata-xmlrpc 2017-08-01 16:10:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1874