1138320 – Issues with ssl client verification using chain ca pem

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1138320 - Issues with ssl client verification using chain ca pem

Summary: Issues with ssl client verification using chain ca pem

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Content Management
Sub Component:
Version:	6.0.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Katello Bug Bin
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:	1129719
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-04 13:33 UTC by Mike McCune
Modified:	2017-07-26 19:39 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1129719
Environment:
Last Closed:	2014-09-11 12:25:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Mike McCune 2014-09-04 13:33:52 UTC

+++ This bug was initially created as a clone of Bug #1129719 +++

I'm running into an issue with latest pulp REST binding unable to verify server certificate if the CA cert is a chain cert. It looks like the new pulp is using code from m2crypto library that does not support this feature. Attached are 2 small scripts that will recreate this scenario. 

Note: test_m2crypto.py have pieces of code yanked from pulp bindings/server.py 
Note2: The scripts assume pulp is installed locally.

Here are the steps:

1) ./create_rhui_ssl_certs.sh - This would output a bunch of certs, the important ones are copied to ./certs dir. 
2) Edit line 8 of test_m2crypto.py to point to $HOME/certs/server-ca-chain.pem 
3) Edit /etc/httpd/conf.d/ssl.conf with following key-value pair:
   3.1) SSLCertificateFile $HOME/certs/test-cert.pem
   3.2) SSLCertificateKeyFile $HOME/certs/test-key.pem
4) Restart httpd 
5) python test_m2crypto.py
6) openssl verify -verbose -CAfile $HOME/certs/server-ca-chain.pem $HOME/certs/test-cert.pem


Output should look like:

[root@rhua ~]# python test_m2crypto.py 
certificate verify failed
[root@rhua ~]# openssl verify -verbose -CAfile /root/certs/server-ca-chain.pem /root/certs/test-cert.pem 
/root/certs/test-cert.pem: OK


The version of pulp I'm using is:

[root@rhua ~]# rpm -qa | grep "pulp"
python-isodate-0.5.0-1.pulp.el6.noarch
python-pulp-rpm-common-2.4.0-0.30.beta.el6.noarch
createrepo-0.9.9-21.2.pulp.el6.noarch
pulp-admin-client-2.4.0-0.30.beta.el6.noarch
python-kombu-3.0.15-12.pulp.el6.noarch
pulp-puppet-plugins-2.4.0-0.30.beta.el6.noarch
pulp-selinux-2.4.0-0.30.beta.el6.noarch
pulp-rpm-admin-extensions-2.4.0-0.30.beta.el6.noarch
m2crypto-0.21.1.pulp-8.el6.x86_64
python-pulp-common-2.4.0-0.30.beta.el6.noarch
python-pulp-puppet-common-2.4.0-0.30.beta.el6.noarch
python-pulp-bindings-2.4.0-0.30.beta.el6.noarch
python-pulp-client-lib-2.4.0-0.30.beta.el6.noarch
mod_wsgi-3.4-1.pulp.el6.x86_64
pulp-server-2.4.0-0.30.beta.el6.noarch
pulp-rpm-plugins-2.4.0-0.30.beta.el6.noarch
pulp-puppet-admin-extensions-2.4.0-0.30.beta.el6.noarch
pulp-v2-cds-server-1.0.1-1.git.3.9a1a04f.el6.noarch

--- Additional comment from  on 2014-08-13 10:23:43 EDT ---



--- Additional comment from Randy Barlow on 2014-08-25 15:44:56 EDT ---

Brian has determined that this does not affect Satellite 6 GA as they do not use chain certificates. Given that M2Crypto does not support this feature, it will be a significant effort to resolve this issue.

I will mark this as untriaged so we can decide if we really want to keep this in 2.4.2.

--- Additional comment from John Matthews on 2014-08-25 16:10:20 EDT ---

When revisiting this BZ, please know that lack of CA Chain support will negatively impact RHUI customers.

RHUI customers often use CA Chains when managing their SSL certificates.

--- Additional comment from  on 2014-08-27 15:33:13 EDT ---

This is also a common case for Satellite 6 installations, but not with the default installer. Given use cases that require this by other projects, I'm triaging this as 2.4.2, Urgent.

--- Additional comment from Randy Barlow on 2014-09-03 16:38:15 EDT ---

It turned out that the 1 in the call to set_verify wasn't a boolean, but an integer specifying how deep we should be willing to follow certificate chains. I believe that setting it to 1 meant that the peer certificate had to be signed by a root certificate authority.

To fix this, I changed that line to this[0]:

ssl_context.set_verify(SSL.verify_peer, depth=100)

I would recommend using Apache's SSLCertificateChainFile directive[1] to give the certificate chain to the client instead of using Pulp's ca_path setting to do this. Pulp's ca_path should only need to be a path to trusted root certificates.

I will write steps to reproduce this bug in another comment.

[0] https://github.com/pulp/pulp/pull/1142
[1] https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

--- Additional comment from Randy Barlow on 2014-09-03 16:59:09 EDT ---

To reproduce this bug:

1) Create a root certificate authority (self signed v1 certificate will do).
2) Configure a host running pulp-admin to trust the root CA certificate.
3) Create an intermediate certificate authority.
4) Sign the intermediate certificate with the root certificate from step 1 (this must generate a v3 certificate with the appropriate certificate authority extensions[0].
5) Create a server certificate for Apache to use.
6) Sign the server certificate with the intermediate certificate.
7) Configure Apache's SSLCertificateChainFile directive (in /etc/httpd/conf.d/ssl.conf) to point at the intermediate CA certificate you created in step 3. This will cause Apache to hand that CA out along with its own certificate signed by that CA.
8) Try to use pulp-admin rpm repo list (or any other command that uses the server).

You should see step 8 fail before upgrading to the version that fixes this bug.

Once it is fixed, step 8 should succeed.

[0] For example, I generated one that had these extensions, as printed by openssl x509… -text:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C7:AF:E2:AC:53:E6:5F:60:D6:52:3B:61:83:02:9F:4F:5C:11:52:DB
            X509v3 Authority Key Identifier:
                keyid:5C:88:1C:B7:DF:DC:A8:C1:19:D1:C2:26:E0:DD:4C:A7:91:EC:D7:F3

            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            Netscape Cert Type:
                SSL CA, S/MIME CA
            X509v3 Subject Alternative Name:
                email:rbarlow
            X509v3 Issuer Alternative Name:
                <EMPTY>

Comment 4 Corey Welton 2014-09-08 15:15:17 UTC

marking this verified per regression testing in compose Satellite-6.0.4-RHEL-7-20140904.1

Comment 5 Bryan Kearney 2014-09-11 12:25:54 UTC

This was delivered with Satellite 6.0 which was released on 10 September 2014.

Note You need to log in before you can comment on or make changes to this bug.