Bug 690430
Summary: | [apache] pinging a HTTPS URL fails if the certificate is not trusted by the JVM | |||
---|---|---|---|---|
Product: | [Other] RHQ Project | Reporter: | Lukas Krejci <lkrejci> | |
Component: | Plugins | Assignee: | RHQ Project Maintainer <rhq-maint> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 4.0.0 | CC: | hrupp, jsanda, loleary, mazz, skondkar | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 769965 (view as bug list) | Environment: | ||
Last Closed: | 2013-09-02 07:17:55 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 678340, 753904 |
Description
Lukas Krejci
2011-03-24 11:08:28 UTC
It is possible to "switch off" the trust checking using code similar to http://www.exampledepot.com/egs/javax.net.ssl/trustall.html. We need to make sure that this behavior is configurable in the connection properties. see if we can fix or at minimum document the workarounds somewhere It appears that the proposed resolution to this bug is to add an option to disable SSL certificate validation completely and to trust all certificates. I think this is fine but we need to make sure that the option isn't misused by adding some kind of warning or documentation around the caution of using it. Additionally, I think we should approach this as two separate options. One to trust all certificates and another to validate the certificate but disable host name validation. This way, users who hit this issue just because the certificate was issued for a public IP but we are using a local IP to talk to Apache, we can more safely ignore the host name check validation issue. Pushed fix to master. commit: 7e3d9889259a68be7a1461df2ff1908dcc2b8f67 A property named disableCertificateVerification has been added to the Apache server and vhost resource types. It defaults to false/off. If you enable it, certificate validation is disabled during availability checks. This is done on a per-instance basis. In other words, any other components running in the plugin container that require/use certificate validation should remain unaffected. For host name verification issue: Steps to Reproduce: 1. Configure apache with a self-signed certificate using the real host name as the common name (i.e. myhost.domain.com). The host name must be valid and resolvable by DNS. (in the default fedora installation do the following: a) open /etc/httpd/conf.d/ssl.conf b) uncomment the "SSLCertificateKeyFile" directive c) uncomment the "SSLCACertificateFile" directive d) restart apache ) 2. Install the self-signed public certificate in the JVM's cacerts: a) <JRE-path>/bin/keytool -import -keystore "<JRE_path>/lib/security/cacerts" -keypass changeit -alias apachecert -file "/tmp/key.cer" 3. inventory the apache in RHQ 4. change the "URL" property in the connection properties to https:/localhost:443 Actual results: the reported availability goes down Expected results: avail stays up The difference here is that if the correct host name is used (the one used in the certificate) all is well. The objective is to use an alternate host name (one not in the certificate) but still have everything be okay without the need to completely disregard the certificate. Removing the plugin configuration property that disables SSL cert validation for the URL used in availability checks. Cert validation is automatically disabled if the URL is HTTPS. commit hash: f969d77b1fde23911c544fff01768048cc76c02c Verified on build209 (Version: 4.1.0-SNAPSHOT Build Number: e7947ed) Followed the steps and verified that the availability of Apache server stays up. Marking as verified. Bulk closing of issues that were VERIFIED, had no target release and where the status changed more than a year ago. |