| 2023-11-15 12:01:54 |
Sergey Kraynev |
bug |
|
|
added bug |
| 2023-11-15 12:04:08 |
Sergey Kraynev |
description |
I try to create the listener with HTTPs Terminated protocol and want to use SSL certificate with empty CN field.
And I get error like: Unreadable Certificate.
due to IndexError on the line:
https://github.com/openstack/octavia/blob/7310986de9bf68ed86de90de0501a1bc46945526/octavia/common/tls_utils/cert_parser.py#L262
It happens, because this code tries to get CN from certificate and gets empty list.
I did not find any note in haproxy docs, that certificate without SSL is not allowed.
The same in octavia validation or code. So it looks like octavia could process cn = None in the code.
Is it possible obtain CN optionally and if it's missed set to None?
If it's not allowed, let's handle it in the more user-friendly way with clear error message instead of traceback due with IndexError. |
I try to create the listener with HTTPs Terminated protocol and want to use SSL certificate with empty CN field.
I generate ssl in the following way:
```
openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr
openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out cert.pem
```
And I get error like: Unreadable Certificate.
due to IndexError on the line:
https://github.com/openstack/octavia/blob/7310986de9bf68ed86de90de0501a1bc46945526/octavia/common/tls_utils/cert_parser.py#L262
It happens, because this code tries to get CN from certificate and gets empty list.
I did not find any note in haproxy docs, that certificate without SSL is not allowed.
The same in octavia validation or code. So it looks like octavia could process cn = None in the code.
Is it possible obtain CN optionally and if it's missed set to None?
If it's not allowed, let's handle it in the more user-friendly way with clear error message instead of traceback due with IndexError. |
|
| 2023-11-15 12:20:59 |
Sergey Kraynev |
description |
I try to create the listener with HTTPs Terminated protocol and want to use SSL certificate with empty CN field.
I generate ssl in the following way:
```
openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr
openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out cert.pem
```
And I get error like: Unreadable Certificate.
due to IndexError on the line:
https://github.com/openstack/octavia/blob/7310986de9bf68ed86de90de0501a1bc46945526/octavia/common/tls_utils/cert_parser.py#L262
It happens, because this code tries to get CN from certificate and gets empty list.
I did not find any note in haproxy docs, that certificate without SSL is not allowed.
The same in octavia validation or code. So it looks like octavia could process cn = None in the code.
Is it possible obtain CN optionally and if it's missed set to None?
If it's not allowed, let's handle it in the more user-friendly way with clear error message instead of traceback due with IndexError. |
I try to create the listener with HTTPs Terminated protocol and want to use SSL certificate with empty CN field.
I generate ssl in the following way:
```
openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr
openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out cert.pem
```
And I get error like: Unreadable Certificate.
due to IndexError on the line:
https://github.com/openstack/octavia/blob/7310986de9bf68ed86de90de0501a1bc46945526/octavia/common/tls_utils/cert_parser.py#L262
It happens, because this code tries to get CN from certificate and gets empty list.
I did not find any note in haproxy docs, that SSL certificate without CN is not allowed.
The same in octavia validation or code. So it looks like octavia could process cn = None in the code.
Is it possible obtain CN optionally and if it's missed set to None?
If it's not allowed, let's handle it in the more user-friendly way with clear error message instead of traceback due with IndexError. |
|
| 2023-11-17 00:24:09 |
Michael Johnson |
octavia: status |
New |
Confirmed |
|
| 2023-11-17 00:24:36 |
Michael Johnson |
octavia: importance |
Undecided |
Medium |
|
| 2023-11-22 21:50:22 |
OpenStack Infra |
octavia: status |
Confirmed |
In Progress |
|
| 2023-11-22 22:50:23 |
Michael Johnson |
octavia: assignee |
|
Michael Johnson (johnsom) |
|
| 2024-01-06 15:54:23 |
OpenStack Infra |
octavia: status |
In Progress |
Fix Released |
|
| 2024-01-23 16:03:25 |
OpenStack Infra |
tags |
|
in-stable-zed |
|
| 2024-01-23 16:03:29 |
OpenStack Infra |
tags |
in-stable-zed |
in-stable-yoga in-stable-zed |
|
