Project

General

Profile

Bug #27462

katello-certs-check (check-ca-bundle) doesn't catch openssl error correctly

Added by Hao Yu over 1 year ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Helms
Category:
foreman-installer script
Target version:
Foreman - 2.3.0
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman-installer/pull/617, https://github.com/theforeman/foreman-installer/pull/376
Fixed in Releases:
Foreman - 2.3.0
Found in Releases:

Description

Description of problem:
Openssl will return 0 exit code and "OK" message for some errors. For example:

  1. openssl verify -CAfile /root/min_bundle.pem -purpose sslserver /root/sat_cert.pem
    /root/sat_cert.pem: C = AU, O = My Org, OU = Web Servers, CN = satellite.example.com
    error 26 at 0 depth lookup:unsupported certificate purpose
    OK
  1. echo $?
    0

The "check-ca-bundle" function only catches the exit code but doesn't catch the error message. This causes the invalid ssl server certificate to pass the test.

Associated revisions

Revision 1c48582b (diff)
Added by Hao Yu 2 months ago

Fixes #27462 - Capture the openssl error correctly

Older openssl version will still return 0 exit code and "OK" message
for some errors, such as the openssl in RHEL 7. This cause the
katello-certs-check script not capturing certificate error correctly.
This patch fixed the issue.

Revision b95e07ab (diff)
Added by Eric Helms 2 months ago

Refs #27462 - Add test case for invalid purpose sslserver

History

#1 Updated by The Foreman Bot over 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-installer/pull/376 added

#2 Updated by Hao Yu over 1 year ago

This issue seems to only happen in older version of openssl, such as RHEL 7.6 with "openssl-1.0.2k". It doesn't happen in Fedora 27 with "openssl-1.1.0g".

#3 Updated by The Foreman Bot 2 months ago

  • Assignee set to Eric Helms
  • Pull request https://github.com/theforeman/foreman-installer/pull/617 added

#4 Updated by The Foreman Bot 2 months ago

  • Fixed in Releases 2.4.0 added

#5 Updated by Hao Yu 2 months ago

  • Status changed from Ready For Testing to Closed

#6 Updated by Ewoud Kohl van Wijngaarden about 2 months ago

  • Triaged changed from No to Yes
  • Target version set to 2.3.0
  • Fixed in Releases 2.3.0 added
  • Fixed in Releases deleted (2.4.0)

Also available in: Atom PDF