Bug 457954 - Add SSL CA cert verification support to yum-rhn-plugin
Summary: Add SSL CA cert verification support to yum-rhn-plugin
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Clients
Version: 0.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: John Matthews
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space03
TreeView+ depends on / blocked
 
Reported: 2008-08-05 18:52 UTC by John Matthews
Modified: 2009-09-17 07:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-17 07:01:03 UTC
Embargoed:

Attachments (Terms of Use)

Description John Matthews 2008-08-05 18:52:08 UTC 
"For enhanced SSL support for yum + rhn, we need to be able to associate a CA
cert with a repo, so we can verify the server's certificate. The following patch
adds a config option to repositories to do this."


From  James Antill   2008-04-23 13:16:03 EDT   

......

 With this if I give it a bad ssl_ca_cert yum dies with "M2Crypto.SSL.SSLError:
certificate verify failed".

--- /tmp/abcd	2008-04-23 13:12:57.000000000 -0400
+++ /usr/lib/yum-plugins/rhnplugin.py	2008-04-23 13:13:12.000000000 -0400
@@ -285,6 +285,7 @@
                                       reget = reget,
                                       checkfunc=checkfunc,
                                       http_headers=headers,
+                                      ssl_ca_cert = self.sslcacert
                                       )
             return result
 
@@ -303,6 +304,7 @@
                                           reget = reget,
                                           checkfunc=checkfunc,
                                           http_headers=headers,
+                                          ssl_ca_cert = self.sslcacert
                                           )
                 return result
             except URLGrabError, e:





Test case recommended by Tomas Hoger.
- run yum to install some package, e.g. yum install mtr
- during the "Is this ok [y/N]:", add iptables DNAT rule to redirect traffic to
some https server, using something like:
  iptables -t nat -A OUTPUT -p tcp --dport 443 -d <rhn_host> -j DNAT
      --to-destination <different https host>:443
- request to get rpm should then go to https host with different (not trusted)
certificate.  404 means fail, M2Crypto.SSL.SSLError success.
Comment 1 John Matthews 2008-08-05 19:13:01 UTC 
patch checked into git: 09e55ff2fb32910aaef62d80a9ecca0410554450
Comment 3 Devan Goodwin 2008-11-04 14:16:56 UTC 
M2Crypto.SSL.SSLError: certificate verify failed

Verified in spacewalk 0.3.
Comment 4 Miroslav Suchý 2009-09-17 07:01:03 UTC 
Spacewalk has been released for some time.
Note You need to log in before you can comment on or make changes to this bug.