Bug 1252149 - candlepin: possible SSL/TLS certificate handling issues
Summary: candlepin: possible SSL/TLS certificate handling issues
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1249957
TreeView+ depends on / blocked
 
Reported: 2015-08-10 20:05 UTC by Kurt Seifried
Modified: 2019-09-29 13:36 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-08-21 16:36:46 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2015-08-10 20:05:46 UTC 
John Sefler of Red Hat reports:

Under certain circumstances candlepin may fail to properly verify SSL/TLS
certificates. This issue has not yet been confirmed, once it is a CVE will be
assigned.
Comment 1 Kurt Seifried 2015-08-21 16:36:46 UTC 
awood reports:

One of our QE folks noticed a similar issue on local tests.  Lockwait
timeouts plus unexpected certificate verification failures.  He
ultimately tracked the issue down to inconsistent networking behavior
on OpenStack instances.  After switching off of OpenStack, the issue
no longer manifested.

I personally don't believe this issue represents a security
vulnerability as in no case is the client getting a false positive on
who it is connecting to.  Occasionally it gets a false negative and
refuses to connect but that's failing safe.  So in my opinion a bug
yes, but a CVE no.
Note You need to log in before you can comment on or make changes to this bug.