Bug 772936

Summary: [RFE]: Show a warning when server time and client time drift is big
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Zapletal <lzap>
Component: subscription-managerAssignee: Bryan Kearney <bkearney>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: bkearney, fsharath, jsefler, sghai
Target Milestone: rcKeywords: FutureFeature
Target Release: 7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 1.8.2 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:52:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 863175    

Description Lukas Zapletal 2012-01-10 11:48:29 UTC 
When time and date of server and client differs, certificate validation can
fail.

Show a warning message to the user both in UI and TUI interfaces and also log a warning message in the log in case server time is different.

Server support needed for this new feature: https://bugzilla.redhat.com/show_bug.cgi?id=772935
Comment 3 RHEL Program Management 2012-07-10 08:48:45 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 RHEL Program Management 2012-07-11 02:08:51 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 5 Tom Lavigne 2012-09-07 15:20:40 UTC 
This request was evaluated by Red Hat Product Management for 
inclusion in the current release of Red Hat Enterprise Linux.
Since we are unable to provide this feature at this time,  
it has been proposed for the next release of 
Red Hat Enterprise Linux.
Comment 7 Bryan Kearney 2012-12-20 21:35:58 UTC 
https://github.com/candlepin/python-rhsm/pull/50
Comment 8 Bryan Kearney 2013-01-04 16:34:09 UTC 
commit ec293ec10205e71132d90118534592c67a6abbeb
Author: Bryan Kearney <bkearney>
Date:   Fri Dec 14 16:21:20 2012 -0500

    772936: Warn the user when clock skew is detected.
    
    All server responses are required to contain a date header. This
    header is used to look for instances where the time on the local machine
    is more that 6 hours off of the server. The time is arbitrary.
    
    This should catch cases where the local machine is mis-configured. It is
    possible that it will not catch when the candlepin server clock is off
    since the header may come from the apache server.
Comment 9 Bryan Kearney 2013-02-08 17:18:44 UTC 
Fixed in the 1.8.2 version of subscription-manager or python-rhsm
Comment 11 Sharath Dwaral 2013-02-27 15:58:06 UTC 
Please ignore the Comment 10
Comment 12 Sharath Dwaral 2013-02-27 18:35:22 UTC 
# rpm -qa | egrep "subscription-manager|python-rhsm"
python-rhsm-1.8.3-1.el7.x86_64
subscription-manager-gui-1.8.3-1.el7.x86_64
subscription-manager-migration-1.8.3-1.el7.x86_64
subscription-manager-debuginfo-1.8.3-1.el7.x86_64
subscription-manager-1.8.3-1.el7.x86_64
subscription-manager-firstboot-1.8.3-1.el7.x86_64
python-rhsm-debuginfo-1.8.3-1.el7.x86_64

This is tested for 2 senarios a "past date" and "future date". Each of these senarios have 2 cases "insecure = 0" and  "insecure = 1"

Senario 1: Past Date

case 1:  insecure = 0

Candlepin

# date
Wed Feb 27 12:44:30 EST 2013

Client

# date
Wed Feb 27 12:44:07 EST 2013

# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.

# date -s "Sun Feb 24 12:44:07 EST 2013"
Sun Feb 24 12:44:07 EST 2013

# cat /etc/rhsm/rhsm.conf | grep insecure
insecure = 0

# subscription-manager register
Username: testuser1
Password: 
certificate verify failed

# cat /var/log/rhsm/rhsm.log | egrep "2013-02-24 12:.*time"


case 2:    insecure = 1

Candlepin

# date
Wed Feb 27 13:08:50 EST 2013

Client

# date
Sun Feb 24 13:08:39 EST 2013

# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.

# cat /etc/rhsm/rhsm.conf | grep insecure
insecure = 1

# subscription-manager register
Username: testuser1
Password: 
Organization: snowwhite
The system has been registered with id: e72744fc-16dc-414c-851b-0207922a155f 

# cat /var/log/rhsm/rhsm.log | egrep "2013-02-24 13:.*time"
2013-02-24 13:10:28,533 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:28,629 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:28,726 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:35,015 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:39,807 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:39,908 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:40,005 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-02-24 13:10:40,129 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time


Senario 2: Future date

case 1: insecure = 0 

Candlepin:

# date
Wed Feb 27 13:16:45 EST 2013

Client

# date
Sun Feb 24 13:14:30 EST 2013

# date -s "Fri Mar 01 13:14:30 EST 2013"
Fri Mar  1 13:14:30 EST 2013

# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.

# cat /etc/rhsm/rhsm.conf | grep insecure
insecure = 0

# subscription-manager register
Username: testuser1
Password: 
Organization: snowwhite
The system has been registered with id: e7320383-4598-487f-adaa-7af912ea20ed 

# cat /var/log/rhsm/rhsm.log | egrep "2013-03-01 13:.*time"
2013-03-01 13:14:51,753 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:14:51,851 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:14:51,946 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:16,816 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:16,916 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:17,013 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:22,580 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:25,883 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:25,984 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:26,082 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:16:26,189 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time


case 2: insecure = 1 

Candlepin:

# date
Wed Feb 27 13:25:29 EST 2013

Client

# date
Fri Mar  1 13:19:37 EST 2013

# subscription-manager identity
This system is not yet registered. Try 'subscription-manager register --help' for more information.

# cat /etc/rhsm/rhsm.conf | grep insecure
insecure = 1

# subscription-manager register
Username: testuser1
Password: 
Organization: snowwhite
The system has been registered with id: 2bbfccd0-3c44-418d-ae89-0ee101bdf73b 

# cat /var/log/rhsm/rhsm.log | egrep "2013-03-01 13:2.*time"
2013-03-01 13:20:09,542 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:20:09,641 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:20:09,747 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:14,911 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:15,008 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:15,104 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:22,233 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:25,850 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:25,951 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:26,046 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
2013-03-01 13:21:26,150 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time


Findings:

On "past date" when insecure = 0 message in stdout is "certificate verify failed" and does not tell us why. 
On "future date" when insecure is either 0 the certs are not validated

Suggestions:

On "past date" when insecure = 0 we could have "Clock skew detected, please check your system time" sent to stdout.
On "future date" when insecure = 0 certs should be validated and we could have "Clock skew detected, please check your system time" sent to stdout
Comment 13 Bryan Kearney 2013-04-16 20:51:18 UTC 
This is pretty low likelyhood, so I would prefer to not corrupt the stdout. The current implementation meets the original RFE.. so I am moving this back to ON_QA.
Comment 14 John Sefler 2013-04-23 20:45:01 UTC 
Verifying Version...
[root@jsefler-7 ~]# rpm -q subscription-manager
subscription-manager-1.8.6-1.el7.x86_64




[root@jsefler-7 ~]# rm -f /var/log/rhsm/rhsm.log
[root@jsefler-7 ~]# date
Tue Apr 23 16:37:03 EDT 2013
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.8.4-1
subscription-manager: 1.8.6-1.el7
python-rhsm: 1.8.9-1.el7
[root@jsefler-7 ~]# grep -i "clock" /var/log/rhsm/rhsm.log -B2
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rm -f /var/log/rhsm/rhsm.log
[root@jsefler-7 ~]# date -s "-7 hours"
Tue Apr 23 09:37:50 EDT 2013
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.8.4-1
subscription-manager: 1.8.6-1.el7
python-rhsm: 1.8.9-1.el7
[root@jsefler-7 ~]# grep -i "clock" /var/log/rhsm/rhsm.log -B2
2013-04-23 09:38:00,311 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/
2013-04-23 09:38:00,350 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 09:38:00,351 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
--
2013-04-23 09:38:00,357 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/status
2013-04-23 09:38:00,393 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 09:38:00,393 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
--
2013-04-23 09:38:00,398 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/status
2013-04-23 09:38:00,433 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 09:38:00,434 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rm -f /var/log/rhsm/rhsm.log
[root@jsefler-7 ~]# date -s "+14 hours"
Tue Apr 23 23:38:57 EDT 2013
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.8.4-1
subscription-manager: 1.8.6-1.el7
python-rhsm: 1.8.9-1.el7
[root@jsefler-7 ~]# grep -i "clock" /var/log/rhsm/rhsm.log -B2
2013-04-23 23:39:05,805 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/
2013-04-23 23:39:05,859 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 23:39:05,861 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
--
2013-04-23 23:39:05,870 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/status
2013-04-23 23:39:05,905 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 23:39:05,906 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
--
2013-04-23 23:39:05,912 [DEBUG]  @connection.py:415 - Making request: GET /candlepin/status
2013-04-23 23:39:05,943 [DEBUG]  @connection.py:434 - Response status: 200
2013-04-23 23:39:05,944 [WARNING]  @connection.py:438 - Clock skew detected, please check your system time
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rm -f /var/log/rhsm/rhsm.log
[root@jsefler-7 ~]# date -s "-7 hours"
Tue Apr 23 16:39:31 EDT 2013
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.8.4-1
subscription-manager: 1.8.6-1.el7
python-rhsm: 1.8.9-1.el7
[root@jsefler-7 ~]# grep -i "clock" /var/log/rhsm/rhsm.log -B2
[root@jsefler-7 ~]# 



VERIFIED: When the system's clock is either behind or ahead of the candlepin server's clock by more than 6 hours (tested with a 7 hour skew), a warning is logged to rhsm.log after each response from the server.
Comment 15 Ludek Smid 2014-06-13 09:52:01 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.