Bug 1814383

Summary: librepo does not do TLS certificate revocation checking
Product: Red Hat Enterprise Linux 8 Reporter: Steve Grubb <sgrubb>
Component: librepoAssignee: amatej
Status: CLOSED ERRATA QA Contact: Jan Blazek <jblazek>
Severity: high Docs Contact: Mariya Pershina <mpershin>
Priority: high    
Version: 8.2CC: amatej, jjaburek, jpazdziora, lberton, mdomonko, peasters, pkratoch
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: librepo-1.14.0-1.el8 Doc Type: Enhancement
Doc Text:
.`sslverifystatus` has been added to `dnf` configuration With this update, when `sslverifystatus` option is enabled, `dnf` checks each server certificate revocation status using the *Certificate Status Request* TLS extension (OCSP stapling). As a result, when a revoked certificate is encountered, `dnf` refuses to download from its server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:45:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1951407, 1951409    
Bug Blocks: 1825061, 1940119    

Description Steve Grubb 2020-03-17 18:13:07 UTC 
Description of problem:
Librepo's use of libcurl does not seem to enable certificate revocation checking. libcurl has an option, CURLOPT_SSL_VERIFYSTATUS, but it defaults to off. Searching librepo doesn't seem to set any SSL options.

For common criteria purposes, we need dnf via librepo to do certificate revocation checking.
Comment 1 amatej 2020-03-27 09:35:40 UTC 
The libcurl option CURLOPT_SSL_VERIFYSTATUS supports only OCSV stapling method of certificate revocation checking, is this enough? I am asking because from my small testing I found out that not all servers with repositories support this.
If it is enough we could for example add a new configuration option (that defaults to off) which would ensure that repositories that have it enabled use curl with CURLOPT_SSL_VERIFYSTATUS.
Comment 2 Steve Grubb 2020-03-27 13:26:54 UTC 
How about the redhat servers? Do they support OSCP stapling? If they do not, I will open a ticket to get that fixed. Enabling the option should be enough to pass certification. That was the only problem they found with TLS as used by dnf.
Comment 3 amatej 2020-03-30 08:20:58 UTC 
I tried using librepo with CURLOPT_SSL_VERIFYSTATUS enabled on a rhen-8.2.0 machine with rhel-8-for-x86_64-appstream-htb-rpms repo (https://cdn.redhat.com/content/htb/rhel8/8/x86_64/appstream/os) and it seems that OCSP stapling is not enabled. But I am not sure whether you mean these redhat servers.

Another option would be to implement going to the certificate authority for the list of revoked certificates and checking it manually, but that seems to be fairly complicated.
Comment 4 Steve Grubb 2020-03-30 13:11:50 UTC 
When you say its not enabled, which end are you speaking of? The client side or the server side?
Comment 5 amatej 2020-03-30 13:23:27 UTC 
I meant server side doesn't have it enabled (doesn't support it). The client side is controlled by CURLOPT_SSL_VERIFYSTATUS in librepo which I set manually.
Comment 22 amatej 2021-02-01 15:03:38 UTC 
Since we are still waiting I am moving this to 8.5.0.
Comment 49 errata-xmlrpc 2021-11-09 19:45:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (librepo bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4429