626951 – Consumer certificates can be spoofed

Bug 626951 - Consumer certificates can be spoofed

Summary: Consumer certificates can be spoofed

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	z_other
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Jay Dobies
QA Contact:	wes hayutin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	verified-to-close
TreeView+	depends on / blocked

Reported:	2010-08-24 18:13 UTC by Jay Dobies
Modified:	2011-08-16 14:20 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-08-16 14:20:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jay Dobies 2010-08-24 18:13:38 UTC

Since we don't do verification of the certificates (pulp.conf: "SSLVerifyClient optional_no_ca"), someone is able to create and sign their own certificate with any given consumer ID and pretend to be that consumer.

Comment 1 Jay Dobies 2010-08-24 18:26:06 UTC

commit	a170699b2edb36840691fdfdd772a90918cb4fbd
tree	e3eb7df0b0fa391694747bedc13f31eeec2d7117


Changed SSL client cert handling to verify so we can ensure we were the ones who issued the certificate.


etc/httpd/conf.d/pulp.conf 


Configured apache to verify the client certificate, which ensures it was signed by its CA and not by a spoofer.

Comment 2 Jay Dobies 2010-08-24 18:28:50 UTC

To verify:

Create a consumer in pulp, which will download the consumer's specific certificate to the machine:

- pulp-client consumer create --id=foo -uadmin -padmin

The certificates are placed in /etc/pki/consumer.

Verify these certificates work:

- pulp-client consumer update

This should be successful.

Generate a second certificate manually, using a different CA than is installed on the pulp server. The CN of that *must* match the CN in the certificate provided by pulp (hint: it's what you passed into --id). Copy this certificate and private key over the pulp ones in /etc/pki/consumer.

Attempt to use the self-signed certificates:

- pulp-client consumer update

This should fail with a message about a bad certificate.

Comment 3 Jay Dobies 2010-08-25 15:14:26 UTC

commit	6dad1a25eaa3a451d3242accd406a6df8848409a
tree	f4b0dde29e6da243d2ece28d27cd310fa9b22e53


Added CA certificate validation only in cases where a consumer cert is being used.


src/pulp/server/webservices/role_check.py 	


The apache solution won't work because we have some operations that should not verify the client certificate. The logic for that verification has been pushed back into the pulp layer so we can have more fine grained control. The verification steps are the same.

Comment 4 Preethi Thomas 2011-05-06 13:29:20 UTC

verified
[root@10 ~]# rpm -q pulp-client
pulp-client-0.0.173-1.fc14.noarch

with the actual consumer cert

[root@10 ~]# pulp-client consumer update
Successfully updated consumer [10.16.79.198] profile


after changing the consumer cert

[root@10 ~]# pulp-client consumer update
Enter passphrase:
Error updating consumer [10.16.79.198].

Comment 5 Preethi Thomas 2011-08-16 14:20:41 UTC

Closing with Community Release 15

pulp-0.0.223-4.

Note You need to log in before you can comment on or make changes to this bug.