Project

General

Profile

Bug #13817

ENC smart proxy validation fails

Added by Matthew Ceroni almost 4 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:

Description

Using latest nightly and encountered the following error: No smart proxy server found on [] and is not in trusted_puppetmaster_hosts

As you can see it wasn't listing the connecting smart proxy / host. Dug into the code and found the following section of code:


if certificate.subject_alternative_names
request_hosts += certificate.subject_alternative_names
elsif certificate.subject
request_hosts << certificate.subject
end

Testing of certificate.subject_alternative_names always evaluates to true even when no SAN. This results in request_hosts to be empty and authentication of the request fails.


Related issues

Related to Foreman - Feature #12127: Foreman should verify x509 subject alternative names when authenticating a smart proxyClosed2015-10-09

Associated revisions

Revision f441da9d (diff)
Added by cyrus-mc almost 4 years ago

fixes #13817 - test certificate.subject_alternative_names for presence

Otherwise certificate SAN test is always true even with no SAN. This
results in request_hosts being empty and thus ENC authentication fails.

With test by Dominic Cleal <>

Revision 35b10472 (diff)
Added by cyrus-mc over 3 years ago

fixes #13817 - test certificate.subject_alternative_names for presence

Otherwise certificate SAN test is always true even with no SAN. This
results in request_hosts being empty and thus ENC authentication fails.

With test by Dominic Cleal <>

(cherry picked from commit f441da9df0f835b1db166724c6ebbc2a695bc498)

History

#1 Updated by Matthew Ceroni almost 4 years ago

Created pull request to fix issue:

[[https://github.com/theforeman/foreman/pull/3213]]

#2 Updated by Michael Moll almost 4 years ago

  • Category set to Security
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3213 added

#3 Updated by Dominic Cleal almost 4 years ago

  • Assignee set to Matthew Ceroni
  • Legacy Backlogs Release (now unused) set to 71

#4 Updated by Dominic Cleal almost 4 years ago

  • Related to Feature #12127: Foreman should verify x509 subject alternative names when authenticating a smart proxy added

#5 Updated by The Foreman Bot almost 4 years ago

  • Pull request https://github.com/theforeman/foreman/pull/3277 added

#6 Updated by Anonymous almost 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Bryan Kearney over 3 years ago

  • Bugzilla link set to 1326036

Also available in: Atom PDF