970805 – httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" warning

Bug 970805 - httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" warning

Summary: httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" wa...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	1.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Jason DeTiberus
QA Contact:	libra bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	957117 973219
TreeView+	depends on / blocked

Reported:	2013-06-04 23:33 UTC by Miciah Dashiel Butler Masters
Modified:	2017-03-08 17:35 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: As documented and scripted, httpd ServerName was left as "localhost" and the SSL certificate created on node/broker hosts was invalid. Separately, Java 7 HTTPS clients refuse connections when certain related warnings are given by a server. Consequence: Access by Java 7-based clients (e.g. JBoss Developer Tools) to the broker would fail, as well as Java 7 client access to apps. Fix: Documentation and example install scripts were modified to indicate setting the ServerName and creating correct certificates. Result: This problem should not occur if the documentation or scripts are followed.
Clone Of:
Clones:	973219 (view as bug list)
Environment:
Last Closed:	2013-07-09 19:50:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBIDE-14760	0	Major	Closed	Cannot connect to OpenShift Enterprise with hostname: javax.net.ssl.SSLProtocolException (WATCHER)	2020-03-17 06:53:30 UTC
Red Hat Product Errata	RHEA-2013:1031	0	normal	SHIPPED_LIVE	Red Hat OpenShift Enterprise 1.2 Infrastructure Release Advisory	2013-07-09 23:48:02 UTC

Description Miciah Dashiel Butler Masters 2013-06-04 23:33:10 UTC

Description of problem:
In the installation scripts and deployment guide, we do not change the ServerName setting for the broker's Apache from the default of 'localhost'. Consequently, the TLS handshake raises a warning alert. This warning alert can cause JBoss Developer Studio to report an authentication failure.

Version-Release number of selected component (if applicable):

How reproducible:
Thoroughly.

Steps to Reproduce:
1. Install a new broker host and a new node host using the installation scripts under <https://github.com/openshift/openshift-extras/blob/enterprise-1.1/enterprise/install-scripts/> (for OSE 1.1), the scripts under <https://github.com/openshift/openshift-extras/blob/enterprise-1.2/enterprise/install-scripts/> (for OSE 1.2), or the deployment guide at <https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html-single/Deployment_Guide/index.html>.

2. Run `httpd -S` on the broker host.

3. Run `tcpdump -lnni eth0 -w /tmp/tcpdump.out tcp port 443` on the broker host, run `curl -k https://broker.example.com/broker/rest/api` on a host that is remote to the broker, and run Wireshark on the resulting tcpdump.out file.

Actual results:

In Step 2, the `httpd -S` output shows 'localhost' for the virtual servers.

In Step 3, Wireshark shows "TLSv1 Alert (Level: Warning, Description: Unrecognized Name), Server Hello, Certificate" in the TLS handshake of every new connection.

Expected results:

In Step 2, the `httpd -S` output should show the configured hostnames for the virtual servers.

In Step 3, Wireshark should not show any warnings or errors in the TLS handshake.

Additional info:

Back in November/December, we discussed how to set NameVirtualHost, ServerName, and ServerAlias in the broker's Apache configuration for the broker so as to have the broker respond to requests directed to it as well as to live harmoniously with the node's Apache instance, should the broker and node be installed on the same host. Part of the discussion is in bug 876324.

The outcome of the discussion is that the current installation scripts delete the VirtualHost stanza from the ssl.conf that ships with mod_ssl, and we have "ServerAlias localhost" and "ServerName localhost" in Apache conf.d files that ship with the OpenShift packages for both the node and the broker. (ServerName is in a separate configuration file to make it easier for sysadmins to change the ServerName setting, but we do not instruct sysadmins to change the setting—we just say, "Feel free to change this as desired" in a comment in the configuration file.)

The effect of the current default configuration is that we sometimes get warnings from Apache when it starts, but things generally work properly, with the broker and node responding to requests without either one taking HTTP connections that are supposed to go to the other.

An additional, undesirable effect of leaving ServerName set to localhost is that Java Developer Studio reports that credentials are invalid. A user reports that with debugging enabled, Apache reports "No matching SSL virtual host for servername foo.com found (using default/first virtual host)," and Wireshark shows "unrecognized name" in the SSL Hello handshake. This user reports that he saw the problem with JBoss Developer Studio using OpenJDK 6, Oracle JDK 6, and OpenJDK 7 and that the problem goes away when ServerName is changed to the host's external host name.

As shown above, I have verified that Wireshark shows "TLSv1 Alert (Level: Warning, Description: Unrecognized Name), Server Hello, Certificate" when I hit /broker/rest/api on a test broker from a recent OSE-1.2 puddle and that the warning goes away when I change ServerName to broker.example.com on my test broker.

So it looks like our configuration will cause a warning with TLS (a little bad), and JDS treats the TLS warning as a fatal error in authentication (really bad).

A similar problem with Java 1.7 and TLS is reported here: http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0

A bug report against the JDK was filed with Oracle for treating the warning as a fatal error by default, but that bug report has been closed as "Not an Issue": http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7127374

Comment 2 Brenton Leanhardt 2013-06-05 12:21:36 UTC

Should we fix this with a combination of documentation and an oo-accept-broker check?

Comment 3 Miciah Dashiel Butler Masters 2013-06-05 12:34:00 UTC

I would suggest documentation, oo-accept-broker, and the installation scripts in openshift-extras as well.

Krishna's Puppet module for Origin already sets ServerName: https://github.com/openshift/puppet-openshift_origin/blob/master/templates/broker/broker_servername.conf.erb

Comment 4 Jason DeTiberus 2013-06-06 18:52:07 UTC

Pull request to update install scripts to set ServerName to the hostname for broker and nodes.
https://github.com/openshift/openshift-extras/pull/29

Comment 5 Luke Meyer 2013-06-06 20:36:29 UTC

It's pretty hard to check in oo-accept-broker that the ServerName is *correct*. We could pretty easily check that it's not the default localhost, though.

Comment 6 Jason DeTiberus 2013-06-11 14:32:28 UTC

Updates to oo-diagnostics:
https://github.com/openshift/origin-server/pull/2810

Updates to install script:
https://github.com/openshift/openshift-extras/pull/29

Comment 7 openshift-github-bot 2013-06-11 16:30:26 UTC

Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/6dc5503401a78a337c11f71c560d663ed27bca59
<oo-diagnostics> Bug 970805 - Add check for broker SSL cert

https://bugzilla.redhat.com/show_bug.cgi?id=970805

Add a test for verifying that the broker SSL cert is valid and that
ServerName matches the certificate Common Name

Comment 8 Jason DeTiberus 2013-06-11 17:01:38 UTC

Finally, enterprise updates:
https://github.com/openshift/enterprise-server/pull/78

Comment 9 JBoss JIRA Server 2013-06-13 09:29:41 UTC

Andre Dietisheim <adietish> made a comment on jira JBIDE-14760

Moving this WATCHER to 4.1.x since the root issue in OpenShift Enterprise is fixed but not published/released yet. We keep watching it and will resolve it once we can test against a fixed instance.

Comment 10 Gaoyun Pei 2013-06-13 10:19:06 UTC

Verify this on puddle:
http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.2/2013-06-12.3/

After setting up OSE env, check the ServerName of broker and nodes:

[root@broker conf.d]# cat 000002_openshift_origin_broker_servername.conf |grep ServerName
# a consistent default ServerName broker.osevvv.com
ServerName broker.osevvv.com

[root@node conf.d]# cat 000001_openshift_origin_node_servername.conf|grep ServerName
# a consistent default ServerName node.osevvv.com
ServerName node.osevvv.com

Both of them are correct.

Use oo-diagnostics to verify the broker SSL cert is valid, no error throw out.

[root@broker conf.d]# oo-diagnostics -v
INFO: loading list of installed packages
INFO: OpenShift broker installed.
...
INFO: running: test_broker_certificate
NO ERRORS

Comment 12 errata-xmlrpc 2013-07-09 19:50:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1031.html

Note You need to log in before you can comment on or make changes to this bug.