Description of problem: The SSL functionality was recently changed in the current release (2.3.3), please see bug 885173 and bug 885167. These changes needs to be documented. At least the following changes are needed: 1. Besides already documented connection options (ssl_keyfile, ssl_certfile) the new related options shall be documented (ssl_trustfile, ssl_skip_hostname_check). 2. Following sentences shall be no longer valid: "Server authentication is not supported." "The server's SSL certificate is not validated against the chain of trust in the client's certificate store." "The server's SSL certificate is not matched against the connection hostname." note: Although both the above mentioned bugs has needs_documentation+ flag set, I was unable to find the related doc bug. If there is an existing doc bug, feel free to close this bug as a duplicate. Version-Release number of selected component (if applicable): Messaging Installation and Configuration Guide - Revision 2-91 Actual results: Obsolete documentation regarding the ssl functionality in the MCIG Expected results: SSL functionality documentation is up2date in the MICG
Documentation shall also mention that both connection hostname validation against server's certificate CN/SAN and the server's certificate validation against the chain of trust is not supported on rhel5 and is only done on-demand on rhel6.
https://brewweb.devel.redhat.com/buildinfo?buildID=276786 In version 2-95: Section 9.2.6 updated with information on the availability of the ssl_trustfile parameter for RHEL 6 Python clients in MRG 2.3.3. Should be available on the documentation stage within 60 minutes: http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#Enable_SSL_in_Python_Clients
Joshua, the changes done seems quite well, but I'm still missing some content, please see below: 1. The documentation now states that SSL certificate validation against the chain of trust is supported in MRG 2.3.3 and above. The same is true for connection hostname validation. So the sentence "The server's SSL certificate is not matched against the connection hostname." is not longer valid for MRG 2.3.3 and above (rhel6 only). 2. Documentation shall mention that server's certificate validation is only done on-demand, ie. the 'ssl_trustfile' is an optional parameter and if not provided the server's certificate validation is not done. 3. 'ssl_skip_hostname_check' connection option parameter might be also documented in "MRG 2.3 Python SSL Parameters" paragraph. (when set to true the connection hostname verification against the server certificate is skipped, default false).
Updated: http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#Enable_SSL_in_Python_Clients
Thanks for the changes, I approve that the points 1.-3. from comment 5 are documented. I would just add a one more note to make the hostname checking functionality clear: ... "On all operating systems prior to 2.3.3, the server's SSL certificate is not matched against the connection hostname. In MRG Messaging 2.3.3, the Red Hat Enterprise Linux 6 Python client matches the server's SSL certificate against the connection hostname." ++ (note: the connection hostname is validated only when the 'ssl_trustfile' is provided) ...
Change made: http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#Enable_SSL_in_Python_Clients It's not intuitive that connection hostname validation should depend on certificate authority validation, so that needs to be explained. It does seem that the connection name should be validated against the certificate, even if the certificate is not being validated against a chain of trust...
I approve the content, thanks for the changes. Messaging Installation and Configuration Guide - Revision 2-98 -> VERIFIED