Project

General

Profile

Actions

Bug #11652

closed

Foreman installer sets Apache2 SSLCACertificatePath to system Trust Store

Added by Arnd Hannemann over 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Foreman modules
Target version:
Difficulty:
easy
Triaged:
Fixed in Releases:
Found in Releases:

Description

The SSLCACertificatePath of the foreman ssl and puppet master vhost is set to the System Trust Store.
On debian this is:

SSLCACertificatePath    "/etc/ssl/certs"

So every user of a certificate issued by one of these CAs (there are many) can be successfully authenticate
against this apache installation.

Per Default foreman and the puppet master should really only trust his own CA (SSLCACertificateFile).
SSLCACertificatePath should not be set.

I verified this bug, by using an S/MIME valid certificate which I imported into my browser and then calling the Foreman ENC.
Luckily Foreman rejected the request because my E-Mail adress was not listed in the trusted_puppetmaster_hosts. However,
I still think this is a security bug.

The issue is caused by the defaults of the puppetlabs apache module, which turns into a problem if SSL
Client authentication is used.
There were also upstream Pull requests against the puppetlabs module, which to allow unset this Parameter, but unfortunately the default was not changed:

https://github.com/puppetlabs/puppetlabs-apache/pull/787
https://github.com/puppetlabs/puppetlabs-apache/pull/913

The foreman puppet modules (puppet-foreman, puppet-puppet) should explicitly unset ssl_certs_dir when configuring apache vhosts.

Actions

Also available in: Atom PDF