Red Hat Bugzilla – Bug 1252149
candlepin: possible SSL/TLS certificate handling issues
Last modified: 2015-08-21 12:36:46 EDT
John Sefler of Red Hat reports:
Under certain circumstances candlepin may fail to properly verify SSL/TLS
certificates. This issue has not yet been confirmed, once it is a CVE will be
One of our QE folks noticed a similar issue on local tests. Lockwait
timeouts plus unexpected certificate verification failures. He
ultimately tracked the issue down to inconsistent networking behavior
on OpenStack instances. After switching off of OpenStack, the issue
no longer manifested.
I personally don't believe this issue represents a security
vulnerability as in no case is the client getting a false positive on
who it is connecting to. Occasionally it gets a false negative and
refuses to connect but that's failing safe. So in my opinion a bug
yes, but a CVE no.