661375 – Luci should make best effort to limit number of warnings connected with self-signed certificate (although warning that the cert is self-signed itself is apparently unavoidable)

Bug 661375 - Luci should make best effort to limit number of warnings connected with self-signed certificate (although warning that the cert is self-signed itself is apparently unavoidable)

Summary: Luci should make best effort to limit number of warnings connected with self-...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	luci
Sub Component:
Version:	14
Hardware:	Unspecified
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jan Pokorný [poki]
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	660446
Blocks:
TreeView+	depends on / blocked

Reported:	2010-12-08 17:06 UTC by Jan Pokorný [poki]
Modified:	2010-12-13 19:36 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-12-13 19:36:05 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Firefox: initial warning about self-signed certificate (contains one extra unnecesary warning) (61.84 KB, image/png) 2010-12-08 17:10 UTC, Jan Pokorný [poki]	no flags	Details
Firefox: initial warning about self-signed certificate (unnecesary warning removed) (59.70 KB, image/png) 2010-12-08 17:11 UTC, Jan Pokorný [poki]	no flags	Details
Firefox: "add exception" dialog (contains one extra unnecesary warning) (42.83 KB, image/png) 2010-12-08 17:13 UTC, Jan Pokorný [poki]	no flags	Details
Firefox: "add exception" dialog (unnecesary warning removed) (37.62 KB, image/png) 2010-12-08 17:14 UTC, Jan Pokorný [poki]	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	660446	0	medium	CLOSED	Luci package neither well maintainable wrt external files (cross-references, values integrity etc.) nor it forms compact...	2021-02-22 00:41:40 UTC

Internal Links: 660446

Description Jan Pokorný [poki] 2010-12-08 17:06:28 UTC

It was found out that some warning messages connected with self-managed self-signed certificate used in the current luci can be removed (proved with Firefox and lynx) if either CN (CommonName) is set to the hostname serving luci or subjectAltName (one of x509 extensions) contains correct IP (IP item) or hostaname (DNS item) -- see also RFC 2818 (section 3.1) and RFC 5280 (section 4.2.1.6).  There should be made a best afford to removed these unnecessary warnings, i.e. before the certificate is generated ad-hoc with the first use of luci, external IPs should be detected and respective hostnames resolved and added into certificate configuration file.

Comment 1 Jan Pokorný [poki] 2010-12-08 17:10:39 UTC

Created attachment 467524 [details]
Firefox: initial warning about self-signed certificate (contains one extra unnecesary warning)

Comment 2 Jan Pokorný [poki] 2010-12-08 17:11:38 UTC

Created attachment 467525 [details]
Firefox: initial warning about self-signed certificate (unnecesary warning removed)

Comment 3 Jan Pokorný [poki] 2010-12-08 17:13:23 UTC

Created attachment 467526 [details]
Firefox: "add exception" dialog (contains one extra unnecesary warning)

Comment 4 Jan Pokorný [poki] 2010-12-08 17:14:13 UTC

Created attachment 467527 [details]
Firefox: "add exception" dialog (unnecesary warning removed)

Comment 5 Jan Pokorný [poki] 2010-12-08 17:17:41 UTC

With lynx, there is one unnecessary question (that must be aswered with
every resposponse):

SSL error:host(node1)!=cert(CN<luci high availability management server>)-Continue? (y)

Comment 6 Jan Pokorný [poki] 2010-12-08 19:47:49 UTC

Commit http://git.fedorahosted.org/git/?p=luci.git;a=commit;h=9f5ec97d5e5c0f221939f2d383581a86bbc68233 addresses this issue.

By default, prior to generating the self-managed certificate (which
takes place if no such already exists), there is a try to get external
IPs and hostnames and add them into certificate configuration file
- this can be disabled by manually editing this cert. config. file
  (/var/lib/luci/etc/cacert.config) in that way that "###" is not
  found at the end of this file before first start of the service
  (but it may be a good idea to fill intended address manually)

Of course, the best is to use certificate coming from own cert.
infrastructure (e.g. corporate or even commercial?) and set it in
sysconfig file (see bug #661386)
- this would possibly suppress warnings from the web browsers
  (if not respective CA preconfigured directly in web browser, it
  can be e.g. deployed to all machines in organization in batch)

Comment 7 Jan Pokorný [poki] 2010-12-08 20:30:28 UTC

Note: this was fixed in the context of work on pkg-update upstream
      branch which means the fix ties closely to the major change
      brought from this branch into main-line upstream code
      in connection with bug #660446

Note You need to log in before you can comment on or make changes to this bug.