Project

General

Profile

Bug #11652

Foreman installer sets Apache2 SSLCACertificatePath to system Trust Store

Added by Arnd Hannemann over 4 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Foreman modules
Target version:
Difficulty:
easy
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

The SSLCACertificatePath of the foreman ssl and puppet master vhost is set to the System Trust Store.
On debian this is:

SSLCACertificatePath    "/etc/ssl/certs"

So every user of a certificate issued by one of these CAs (there are many) can be successfully authenticate
against this apache installation.

Per Default foreman and the puppet master should really only trust his own CA (SSLCACertificateFile).
SSLCACertificatePath should not be set.

I verified this bug, by using an S/MIME valid certificate which I imported into my browser and then calling the Foreman ENC.
Luckily Foreman rejected the request because my E-Mail adress was not listed in the trusted_puppetmaster_hosts. However,
I still think this is a security bug.

The issue is caused by the defaults of the puppetlabs apache module, which turns into a problem if SSL
Client authentication is used.
There were also upstream Pull requests against the puppetlabs module, which to allow unset this Parameter, but unfortunately the default was not changed:

https://github.com/puppetlabs/puppetlabs-apache/pull/787
https://github.com/puppetlabs/puppetlabs-apache/pull/913

The foreman puppet modules (puppet-foreman, puppet-puppet) should explicitly unset ssl_certs_dir when configuring apache vhosts.

Associated revisions

Revision 08911c3a (diff)
Added by Markus Frosch about 4 years ago

fixes #11652: set ssl_certs_dir to '' by default

This will avoid setting SSLCACertificatePath by default. And that way only request and authenticate certificates by the configured CA and not any other present in the certs directory.

History

#1 Updated by Dominic Cleal over 4 years ago

  • Project changed from Foreman to Installer
  • Category changed from Authentication to Foreman modules

#2 Updated by Markus Frosch about 4 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

#3 Updated by Dominic Cleal about 4 years ago

  • Legacy Backlogs Release (now unused) set to 71

Also available in: Atom PDF