Bug 734834 - Add debug info for X509 certificate validation in repo_auth
Summary: Add debug info for X509 certificate validation in repo_auth
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: rel-eng
Version: Master
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: pulp-bugs
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-31 15:07 UTC by John Matthews
Modified: 2014-12-18 00:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-18 00:00:09 UTC


Attachments (Terms of Use)

Description John Matthews 2011-08-31 15:07:32 UTC
Description of problem:
Repo auth is using OpenSSL's X509_STORE_CONTEXT::verify_cert() to validate a certificate.

If this is successful it returns 1, on failure 0.
We could add a callback into M2Crypto and OpenSSL which would tell us more information about why a certificate failed verification.

When a certificate fails verification we want to log a reason in apache's logs.

Comment 1 John Matthews 2012-01-17 17:28:08 UTC
Refer to below m2crypto patches for possible solutions to exposing the verify callback.

https://bugzilla.osafoundation.org/show_bug.cgi?id=11690
and Patch: https://bugzilla.osafoundation.org/attachment.cgi?id=5710

Comment 2 Chris Duryee 2014-12-18 00:00:09 UTC
The patched version of m2crypto was removed with commit f435a14. It looks like there is logging in the current cert verification that should be sufficient.

Marking bz as closed/currentrelease but feel free to re-open if you see any particular use cases that are not logged appropriately.


Note You need to log in before you can comment on or make changes to this bug.