Bug 1252149 - candlepin: possible SSL/TLS certificate handling issues
candlepin: possible SSL/TLS certificate handling issues
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1249957
  Show dependency treegraph
Reported: 2015-08-10 16:05 EDT by Kurt Seifried
Modified: 2015-08-21 12:36 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-08-21 12:36:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-08-10 16:05:46 EDT
John Sefler of Red Hat reports:

Under certain circumstances candlepin may fail to properly verify SSL/TLS
certificates. This issue has not yet been confirmed, once it is a CVE will be
Comment 1 Kurt Seifried 2015-08-21 12:36:46 EDT
awood reports:

One of our QE folks noticed a similar issue on local tests.  Lockwait
timeouts plus unexpected certificate verification failures.  He
ultimately tracked the issue down to inconsistent networking behavior
on OpenStack instances.  After switching off of OpenStack, the issue
no longer manifested.

I personally don't believe this issue represents a security
vulnerability as in no case is the client getting a false positive on
who it is connecting to.  Occasionally it gets a false negative and
refuses to connect but that's failing safe.  So in my opinion a bug
yes, but a CVE no.

Note You need to log in before you can comment on or make changes to this bug.