Project

General

Profile

Bug #19390

Using ssl_ca_path prevents verification using system trusted CA

Added by Martin Bacovsky about 3 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Urgent
Category:
Hammer core
Target version:
Team Backlog:
Fixed in Releases:
Found in Releases:
In Kanboard:

Description

Openssl is using certs either from ssl_ca_path or system ca store. There is not fallback to system when the CA is not found in ssl_ca_path.
Setting ssl_ca_path to .hammer/certs thus disables using system trusted CAs for verification.

Associated revisions

Revision 3e82114e (diff)
Added by Martin Bacovsky about 3 years ago

Fixes #19390 - use local ca cert store instead of ssl_ca_path

This patch changes the way how the localy downloaded certs are handled.
Setting of ssl_ca_path prevented usage of system trusted CA certs for
verification.

With this patch when the ca cert is downloaded with --fetch-ca-cert it is
stored to the local store. When Hammer opens a connection it checks if
any cert for the actual URI is present in the store and uses it
by setting ssl-ca-file. This works only if ssl_ca-path and ssl_ca_file
is not set.

Please enter the commit message for your changes. Lines starting

Revision 45a34f3d (diff)
Added by Martin Bacovsky about 3 years ago

Refs #19390 - More detailed instructions on SSL verification fail

History

#1 Updated by The Foreman Bot about 3 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/hammer-cli-foreman/pull/308 added

#2 Updated by Tomáš Strachota about 3 years ago

  • Legacy Backlogs Release (now unused) set to 256

#3 Updated by The Foreman Bot about 3 years ago

  • Pull request https://github.com/theforeman/hammer-cli/pull/237 added

#4 Updated by Martin Bacovsky about 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF