The code in 2.4.1-0.5.rc1 that verifies that a client's entitlement certificate is signed by a specified CA is broken. It actually causes apache processes to segfault. The problem is in new code that uses ctypes to call libcrypto directly from python. Fixing this code would (or will) take substantial investigation and testing. For now, we are implementing a work-around to unblock sat6. The work-around is to disable client SSL cert verification in the wsgi access script, and instead let sat6 use mod_ssl to do that. This is a temporary fix that will need to be revisited before the next community release.
https://github.com/pulp/pulp_rpm/pull/555
Back to assigned for permanent fix.
Created attachment 932515 [details] use mod_ssl for entitlement cert validation This patch enables mod_ssl enforcement of client certificate CA verification. It assumes you want to use the CA installed by katello, so modify that path to enforce with some other CA.
https://github.com/pulp/pulp/pull/1152 https://github.com/pulp/pulp_rpm/pull/558 In order to verify the latest changes to this bug, there are four test cases to run: 1) Case #1 tests what will happen for users who upgrade and don't do anything. For them, there won't be a verify_ssl setting in /etc/pulp/repo_auth.conf, so make sure that isn't defined there. In this case, Pulp should assume you still want to do per-repo authorization. Test this case like you normally would for repo auth. It should succeed with valid entitlement certs and it should fail with invalid ones. 2) Case #2 tests what happens for users who explicitly set verify_ssl to true. The rest of this test case should work just like #1. 3) Case #3 tests what happens for users who set verify_ssl to false, but do not configure Apache to do the validation. In this case, all certificates that have the correct OIDs (the OIDs are still checked even when verify_ssl is false) should be allowed access, even if they are not signed by a valid CA. Make sure that certificates signed by invalid CAs are allowed access, as well as certificates that have valid CA signatures. Also, make sure that all certificates that don't have the correct OIDs for the given repos are still denied (this is very important!). 4) Case #4 tests what happens for users who set verify_ssl to false and also configure Apache to require validly signed certificates. This should again work just like Case #1, but Apache will be enforcing the signature checks instead of Pulp. Make sure the right certs are allowed and rejected, both due to signatures and due to correct/incorrect OIDs. Note that the CA still needs to be uploaded to the repo in order to configure repo_auth for it, otherwise Pulp will not check the OIDs. Please also verify the docs changes that went into the two pull requests.
Fixed in pulp-2.4.1-0.8.beta.
verified with different scenarios [root@qe-blade-13 ~]# rpm -qa pulp-server pulp-server-2.4.1-0.8.beta.el6.noarch [root@qe-blade-13 ~]#
This is fixed in Pulp-2.4.1-1.