734834 – Add debug info for X509 certificate validation in repo_auth

Bug 734834 - Add debug info for X509 certificate validation in repo_auth

Summary: Add debug info for X509 certificate validation in repo_auth

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	rel-eng
Sub Component:
Version:	Master
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	pulp-bugs
QA Contact:	Preethi Thomas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-31 15:07 UTC by John Matthews
Modified:	2014-12-18 00:00 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-12-18 00:00:09 UTC
Embargoed:

Attachments	(Terms of Use)

Description John Matthews 2011-08-31 15:07:32 UTC

Description of problem:
Repo auth is using OpenSSL's X509_STORE_CONTEXT::verify_cert() to validate a certificate.

If this is successful it returns 1, on failure 0.
We could add a callback into M2Crypto and OpenSSL which would tell us more information about why a certificate failed verification.

When a certificate fails verification we want to log a reason in apache's logs.

Comment 1 John Matthews 2012-01-17 17:28:08 UTC

Refer to below m2crypto patches for possible solutions to exposing the verify callback.

https://bugzilla.osafoundation.org/show_bug.cgi?id=11690
and Patch: https://bugzilla.osafoundation.org/attachment.cgi?id=5710

Comment 2 Chris Duryee 2014-12-18 00:00:09 UTC

The patched version of m2crypto was removed with commit f435a14. It looks like there is logging in the current cert verification that should be sufficient.

Marking bz as closed/currentrelease but feel free to re-open if you see any particular use cases that are not logged appropriately.

Note You need to log in before you can comment on or make changes to this bug.