"For enhanced SSL support for yum + rhn, we need to be able to associate a CA cert with a repo, so we can verify the server's certificate. The following patch adds a config option to repositories to do this." From James Antill 2008-04-23 13:16:03 EDT ...... With this if I give it a bad ssl_ca_cert yum dies with "M2Crypto.SSL.SSLError: certificate verify failed". --- /tmp/abcd 2008-04-23 13:12:57.000000000 -0400 +++ /usr/lib/yum-plugins/rhnplugin.py 2008-04-23 13:13:12.000000000 -0400 @@ -285,6 +285,7 @@ reget = reget, checkfunc=checkfunc, http_headers=headers, + ssl_ca_cert = self.sslcacert ) return result @@ -303,6 +304,7 @@ reget = reget, checkfunc=checkfunc, http_headers=headers, + ssl_ca_cert = self.sslcacert ) return result except URLGrabError, e: Test case recommended by Tomas Hoger. - run yum to install some package, e.g. yum install mtr - during the "Is this ok [y/N]:", add iptables DNAT rule to redirect traffic to some https server, using something like: iptables -t nat -A OUTPUT -p tcp --dport 443 -d <rhn_host> -j DNAT --to-destination <different https host>:443 - request to get rpm should then go to https host with different (not trusted) certificate. 404 means fail, M2Crypto.SSL.SSLError success.
patch checked into git: 09e55ff2fb32910aaef62d80a9ecca0410554450
M2Crypto.SSL.SSLError: certificate verify failed Verified in spacewalk 0.3.
Spacewalk has been released for some time.