Bug 457954

Summary: Add SSL CA cert verification support to yum-rhn-plugin
Product: [Community] Spacewalk Reporter: John Matthews <jmatthew>
Component: ClientsAssignee: John Matthews <jmatthew>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 0.2CC: cperry, dgoodwin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-17 07:01:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 456551    

Description John Matthews 2008-08-05 18:52:08 UTC 
"For enhanced SSL support for yum + rhn, we need to be able to associate a CA
cert with a repo, so we can verify the server's certificate. The following patch
adds a config option to repositories to do this."


From  James Antill   2008-04-23 13:16:03 EDT   

......

 With this if I give it a bad ssl_ca_cert yum dies with "M2Crypto.SSL.SSLError:
certificate verify failed".

--- /tmp/abcd	2008-04-23 13:12:57.000000000 -0400
+++ /usr/lib/yum-plugins/rhnplugin.py	2008-04-23 13:13:12.000000000 -0400
@@ -285,6 +285,7 @@
                                       reget = reget,
                                       checkfunc=checkfunc,
                                       http_headers=headers,
+                                      ssl_ca_cert = self.sslcacert
                                       )
             return result
 
@@ -303,6 +304,7 @@
                                           reget = reget,
                                           checkfunc=checkfunc,
                                           http_headers=headers,
+                                          ssl_ca_cert = self.sslcacert
                                           )
                 return result
             except URLGrabError, e:





Test case recommended by Tomas Hoger.
- run yum to install some package, e.g. yum install mtr
- during the "Is this ok [y/N]:", add iptables DNAT rule to redirect traffic to
some https server, using something like:
  iptables -t nat -A OUTPUT -p tcp --dport 443 -d <rhn_host> -j DNAT
      --to-destination <different https host>:443
- request to get rpm should then go to https host with different (not trusted)
certificate.  404 means fail, M2Crypto.SSL.SSLError success.
Comment 1 John Matthews 2008-08-05 19:13:01 UTC 
patch checked into git: 09e55ff2fb32910aaef62d80a9ecca0410554450
Comment 3 Devan Goodwin 2008-11-04 14:16:56 UTC 
M2Crypto.SSL.SSLError: certificate verify failed

Verified in spacewalk 0.3.
Comment 4 Miroslav Suchý 2009-09-17 07:01:03 UTC 
Spacewalk has been released for some time.