1393962 – Using fence_vmware_soap with ssl_insecure=1 still leads to security warnings

Bug 1393962 - Using fence_vmware_soap with ssl_insecure=1 still leads to security warnings

Summary: Using fence_vmware_soap with ssl_insecure=1 still leads to security warnings

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	fence-agents
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Marek Grac
QA Contact:	cluster-qe@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1394959
TreeView+	depends on / blocked

Reported:	2016-11-10 17:36 UTC by Robert Scheck
Modified:	2020-12-11 19:31 UTC (History)
CC List:	8 users (show)
Fixed In Version:	fence-agents-4.0.11-52.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 16:10:32 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2772761	0	None	None	None	2020-12-11 19:31:24 UTC
Red Hat Product Errata	RHBA-2017:1874	0	normal	SHIPPED_LIVE	fence-agents bug fix and enhancement update	2017-08-01 17:53:05 UTC

Description Robert Scheck 2016-11-10 17:36:16 UTC

Description of problem:
When adding a STONITH device like this,

  pcs stonith create stonith_tux2 fence_vmware_soap ipaddr=192.0.2.70 \
  login=pacemaker passwd=TuxLovesFish ssl=1 ssl_insecure=1 \
  port=4229DFFE-1ADD-2967-15D6-72574A46EFD2 action=reboot \
  pcmk_host_list=tux2.example.net op monitor interval=60s

where I explicitly specify "ssl_insecure=1" as a parameter (like stated in
the man page of fence_vmware_soap(1)), then I do not want to be nagged every
monitor interval (aka every 60 seconds) in /var/log/messages like this:

Nov 10 18:30:12 tux1 stonith-ng[1224]: warning: fence_vmware_soap[7777] stderr: [ /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html ]
Nov 10 18:30:12 tux1 stonith-ng[1224]: warning: fence_vmware_soap[7777] stderr: [   InsecureRequestWarning) ]

I understand that the example above is insecure, but getting nagged is IMHO
absolutely fine when not having set "ssl_insecure=1" - but I do. Otherwise,
if you disagree about "ssl_insecure=1", please add a new option to silence
that as per choice of the administrator.

As per https://urllib3.readthedocs.org/en/latest/security.html these nagging
messages could be switched off or on program level, thus in the agent code.

Version-Release number of selected component (if applicable):
fence-agents-vmware-soap-4.0.11-47.el7.x86_64

How reproducible:
Everytime, see above.

Actual results:
Using fence_vmware_soap with ssl_insecure=1 still leads to security warnings.

Expected results:
No security warnings when ssl_insecure=1 is set for fence_vmware_soap.

Comment 1 Robert Scheck 2016-11-10 17:38:36 UTC

Cross-filed case 01738103 on the Red Hat customer portal.

Comment 2 Marek Grac 2016-11-11 08:21:41 UTC

I agree, we will fix it.

Comment 17 errata-xmlrpc 2017-08-01 16:10:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1874

Note You need to log in before you can comment on or make changes to this bug.