Bug 965441
| Summary: | Document recent ssl support changes - hostname and server certificate validation | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Petr Matousek <pematous> | |
| Component: | Messaging_Installation_and_Configuration_Guide | Assignee: | Joshua Wulf <jwulf> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Petr Matousek <pematous> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | Development | CC: | jross, jwulf, lcarlon, lzhaldyb | |
| Target Milestone: | 2.5 | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1038004 (view as bug list) | Environment: | ||
| Last Closed: | 2014-05-15 14:47:09 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 885167, 885173, 1038004 | |||
|
Description
Petr Matousek
2013-05-21 09:05:29 UTC
Documentation shall also mention that both connection hostname validation against server's certificate CN/SAN and the server's certificate validation against the chain of trust is not supported on rhel5 and is only done on-demand on rhel6. https://brewweb.devel.redhat.com/buildinfo?buildID=276786 In version 2-95: Section 9.2.6 updated with information on the availability of the ssl_trustfile parameter for RHEL 6 Python clients in MRG 2.3.3. Should be available on the documentation stage within 60 minutes: http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#Enable_SSL_in_Python_Clients Joshua, the changes done seems quite well, but I'm still missing some content, please see below: 1. The documentation now states that SSL certificate validation against the chain of trust is supported in MRG 2.3.3 and above. The same is true for connection hostname validation. So the sentence "The server's SSL certificate is not matched against the connection hostname." is not longer valid for MRG 2.3.3 and above (rhel6 only). 2. Documentation shall mention that server's certificate validation is only done on-demand, ie. the 'ssl_trustfile' is an optional parameter and if not provided the server's certificate validation is not done. 3. 'ssl_skip_hostname_check' connection option parameter might be also documented in "MRG 2.3 Python SSL Parameters" paragraph. (when set to true the connection hostname verification against the server certificate is skipped, default false). Thanks for the changes, I approve that the points 1.-3. from comment 5 are documented. I would just add a one more note to make the hostname checking functionality clear: ... "On all operating systems prior to 2.3.3, the server's SSL certificate is not matched against the connection hostname. In MRG Messaging 2.3.3, the Red Hat Enterprise Linux 6 Python client matches the server's SSL certificate against the connection hostname." ++ (note: the connection hostname is validated only when the 'ssl_trustfile' is provided) ... Change made: http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#Enable_SSL_in_Python_Clients It's not intuitive that connection hostname validation should depend on certificate authority validation, so that needs to be explained. It does seem that the connection name should be validated against the certificate, even if the certificate is not being validated against a chain of trust... I approve the content, thanks for the changes. Messaging Installation and Configuration Guide - Revision 2-98 -> VERIFIED |