Modify

Ticket #1127 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

SSLCA certificate validation is being carried out with the CA specified as `untrusted'

Reported by: Michael Fincham <[email protected]…> Owned by: https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc
Priority: major Milestone:
Component: bcfg2-server Version: 1.0
Keywords: Cc: Chris St. Pierre <[email protected]…>

Description

On my installation SSLCA managed certificates are only valid during the client run in which they are created, subsequent runs declare the certificate as invalid and delete it.

I see that diff:src/lib/Server/Plugins/[email protected]:f379b0e43cfa0137379ad0f78f48223eba7db61a on line 187 the way openssl is called was changed:

  • res = Popen(["openssl", "verify", "-CAfile", chaincert, cert],

+ res = Popen(["openssl", "verify", "-untrusted", chaincert, "-purpose", + "sslserver", cert],

This seems to cause validation of the stored cert to always fail:

Aug 27 18:26:48 manager bcfg2-server[29849]: SSLCA: /etc/stunnel/mysql-client-cert.pem failed verification against CA: /var/lib/bcfg2/SSLCA/etc/stunnel/mysql-client-cert.pem/mysql-client-cert.pem.H_test.example.com: /C=NZ/O=Example/CN=example.com#012error 19 at 1 depth lookup:self signed cer

Changing "-untrusted" back to "-CAfile" allows validation to succeed:

SSLCA/etc/stunnel/mysql-client-cert.pem/mysql-client-cert.pem.H_test.example.com: OK

Is there some reason I can't discern for why this was changed to "-untrusted"?

Attachments

Change History

comment:1 Changed 10 years ago by https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc

  • Owner changed from desai to https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc
  • Status changed from new to accepted

comment:2 Changed 10 years ago by https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc

  • Status changed from accepted to closed
  • Resolution set to fixed

Fixed in:

https://github.com/Bcfg2/bcfg2/commit/f0a75666bfe2d101ac5b99534680047b47ec1224 https://github.com/Bcfg2/bcfg2/commit/fde8bdfdfbe77e1bcd714b45dc443dcd9eb7cb7c

-CAfile was changed to -untrusted to support verifying against an intermediate cert, but it broke verification against a root CA cert. If you are verifying against a root CA cert, you will need to either apply the patch above and set root_ca = true in bcfg2.conf, or keep the change you've already made. If you're verifying against a cert bundle (i.e., a file that contains both the root cert and an intermediate cert), then you can split the root cert out and add it to your ca-bundle.crt, and just set chaincert to your intermediate cert.

comment:3 Changed 10 years ago by Michael Fincham <[email protected]…>

Thanks! I cannot tell you how much I appreciate your speedy patch for this :)

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.