Bug 734834

Summary: Add debug info for X509 certificate validation in repo_auth
Product: [Retired] Pulp Reporter: John Matthews <jmatthew>
Component: rel-engAssignee: pulp-bugs
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: low Docs Contact:
Priority: low    
Version: MasterCC: cduryee, jason.dobies, rbarlow, skarmark
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-18 00:00:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Matthews 2011-08-31 15:07:32 UTC 
Description of problem:
Repo auth is using OpenSSL's X509_STORE_CONTEXT::verify_cert() to validate a certificate.

If this is successful it returns 1, on failure 0.
We could add a callback into M2Crypto and OpenSSL which would tell us more information about why a certificate failed verification.

When a certificate fails verification we want to log a reason in apache's logs.
Comment 1 John Matthews 2012-01-17 17:28:08 UTC 
Refer to below m2crypto patches for possible solutions to exposing the verify callback.

https://bugzilla.osafoundation.org/show_bug.cgi?id=11690
and Patch: https://bugzilla.osafoundation.org/attachment.cgi?id=5710
Comment 2 Chris Duryee 2014-12-18 00:00:09 UTC 
The patched version of m2crypto was removed with commit f435a14. It looks like there is logging in the current cert verification that should be sufficient.

Marking bz as closed/currentrelease but feel free to re-open if you see any particular use cases that are not logged appropriately.