Since we don't do verification of the certificates (pulp.conf: "SSLVerifyClient optional_no_ca"), someone is able to create and sign their own certificate with any given consumer ID and pretend to be that consumer.
commit a170699b2edb36840691fdfdd772a90918cb4fbd tree e3eb7df0b0fa391694747bedc13f31eeec2d7117 Changed SSL client cert handling to verify so we can ensure we were the ones who issued the certificate. etc/httpd/conf.d/pulp.conf Configured apache to verify the client certificate, which ensures it was signed by its CA and not by a spoofer.
To verify: Create a consumer in pulp, which will download the consumer's specific certificate to the machine: - pulp-client consumer create --id=foo -uadmin -padmin The certificates are placed in /etc/pki/consumer. Verify these certificates work: - pulp-client consumer update This should be successful. Generate a second certificate manually, using a different CA than is installed on the pulp server. The CN of that *must* match the CN in the certificate provided by pulp (hint: it's what you passed into --id). Copy this certificate and private key over the pulp ones in /etc/pki/consumer. Attempt to use the self-signed certificates: - pulp-client consumer update This should fail with a message about a bad certificate.
commit 6dad1a25eaa3a451d3242accd406a6df8848409a tree f4b0dde29e6da243d2ece28d27cd310fa9b22e53 Added CA certificate validation only in cases where a consumer cert is being used. src/pulp/server/webservices/role_check.py The apache solution won't work because we have some operations that should not verify the client certificate. The logic for that verification has been pushed back into the pulp layer so we can have more fine grained control. The verification steps are the same.
verified [root@10 ~]# rpm -q pulp-client pulp-client-0.0.173-1.fc14.noarch with the actual consumer cert [root@10 ~]# pulp-client consumer update Successfully updated consumer [10.16.79.198] profile after changing the consumer cert [root@10 ~]# pulp-client consumer update Enter passphrase: Error updating consumer [10.16.79.198].
Closing with Community Release 15 pulp-0.0.223-4.