Bug 493122
| Summary: | Proper invocation and use of mod_revocator | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Matthew Harmsen <mharmsen> | ||||||
| Component: | Fortitude | Assignee: | Matthew Harmsen <mharmsen> | ||||||
| Status: | CLOSED WONTFIX | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 1.0 | CC: | aakkiang, alee, awnuk, benl, cfu, dlackey, jmagne, mharmsen, rcritten | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-10-12 17:40:46 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 492503 | ||||||||
| Bug Blocks: | 445047 | ||||||||
| Attachments: |
|
||||||||
|
Description
Matthew Harmsen
2009-03-31 17:34:49 UTC
I am able to visit secure website using a smart card token which has the revoked certs (The tps agent has put the token in temporarily lost status). Jack mentioned that its a mod revocator issue., related to this bug. Expected behavior: Should not allow authentication to secure websites when the certs are in revoked state. And the website in question is running mod_revocator and is successfully downloading a CRL? Created attachment 339945 [details]
Base diffs to allow mod_revocator to be used on RHEL
Created attachment 339946 [details]
Dogtag diffs to allow mod_revocator to be used on RHEL
attachment (id=339945) attachment (id=339946) +awnuk cd pki/base % svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M ra/lib/perl/PKI/RA/DonePanel.pm M tps/lib/perl/PKI/TPS/DonePanel.pm % svn commit Sending base/ra/lib/perl/PKI/RA/DonePanel.pm Sending base/tps/lib/perl/PKI/TPS/DonePanel.pm Transmitting file data .. Committed revision 393. cd pki/dogtag % svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M setup/pki-setup.spec M ra/pki-ra.spec M tps/pki-tps.spec % svn commit Sending dogtag/ra/pki-ra.spec Sending dogtag/setup/pki-setup.spec Sending dogtag/tps/pki-tps.spec Transmitting file data ... Committed revision 394. NOTE: As "mod_revocator" can ONLY be enabled on RHEL platforms (and NOT) on
Fedora platforms, this bug will be moved to 8.1 rather than being closed.
For RHCS 8.0, it became necessary to port the "fork" changes made to the Fedora version of "mod_nss" to RHEL 5. Consequently, these changes conflict with the way that "mod_revocator" works, and thus "mod_revocator" was dropped as a dependency requirement for RHCS 8.0 and later. According to Rob, to fix "mod_revocator" would require serious re-architecting of the way that it worked, therefore, OCSP checking available via use of "mod_nss" was utilized instead for the purposes of RHCS 8.0 and later. we are not using mod_revocator at this point. per bug council, marking this is as closed/wontfix |