Bug 1412830 - [3.2] Extended Route Validation Breaks Included Templates
Summary: [3.2] Extended Route Validation Breaks Included Templates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.2.1
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 3.2.1
Assignee: Ram Ranganathan
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks: 1465059
TreeView+ depends on / blocked
 
Reported: 2017-01-12 22:32 UTC by Ram Ranganathan
Modified: 2022-08-04 22:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Cause: The extended certificate validation code (now enabled by default) would not allow some certificates that should be considered valid. Consequence: Self-signed, expired, or not yet current certificates that were otherwise well-formed would be rejected. Fix: The extended validation was changed to allow those cases. Result: Those types of certificates are now allowed.
Clone Of:
: 1465059 (view as bug list)
Environment:
Last Closed: 2017-01-26 20:43:41 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0199 0 normal SHIPPED_LIVE OpenShift Container Platform 3.3.1.11 and 3.2.1.23 bug fix update 2017-01-27 01:41:56 UTC

Description Ram Ranganathan 2017-01-12 22:32:38 UTC
Backport fixes for bugz https://bugzilla.redhat.com/show_bug.cgi?id=1389165 to 3.2

Comment 2 zhaozhanqi 2017-01-19 09:32:32 UTC
QE did the testing with ose-haproxy-router:v3.2.1.22

this bug should be fixed

and also did some regression testing for haproxy, no issue found.

Comment 3 zhaozhanqi 2017-01-19 09:34:09 UTC
sorry, typo

the version should be 'openshift3/ose-haproxy-router:v3.2.1.23'

Comment 4 Eric Rich 2017-01-20 16:18:54 UTC
If you look at https://access.redhat.com/containers/#/tags/57ea8d0a9c624c035f96f452 this image has not been pushed to the container registry via an errata.

Comment 9 Meng Bo 2017-01-24 08:36:16 UTC
Tested on OCP 3.2.1.23 with router image b887c3dfe886

The edge route with expired cert can be created successfully.

# oc get route 
NAME      HOST/PORT                                 PATH      SERVICE   TERMINATION     LABELS
jenkins   jenkins-bmengp1.0124-1xt.qe.rhcloud.com             jenkins   edge/Redirect   template=jenkins-ephemeral-template

# openssl x509 -in cert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=SC, L=Default City, O=Default Company Ltd, OU=Test CA, CN=www.exampleca.com/emailAddress=example
        Validity
            Not Before: Jan 12 14:19:41 2015 GMT
            Not After : Jan 12 14:19:41 2016 GMT
        Subject: CN=www.example.com, ST=SC, C=US/emailAddress=example, O=Example, OU=Example

Comment 11 errata-xmlrpc 2017-01-26 20:43:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0199


Note You need to log in before you can comment on or make changes to this bug.