Sahara

ca_file settings are wrongly honored in keystone,nova,neutron,cinder sessions

Bug #1593268 reported by György Szombathelyi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sahara
Fix Released
High
György Szombathelyi
Sahara newton-2 "n2"
Mitaka
Fix Released
High
György Szombathelyi

Bug Description

ca_file settings in [nova], [neutron], etc... are passed as cert parameter to the keystone session, but cert means a client certificate. They must be passed to the verify parameter to act like a CA certificate.

Revision history for this message
György Szombathelyi (gyurco) wrote :

https://review.openstack.org/#/c/330635/

Vitalii Gridnev (vgridnev)
Changed in sahara:
status: New → In Progress
importance: Undecided → High
milestone: none → newton-2
assignee: nobody → György Szombathelyi (gyurco)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara (master)

Reviewed: https://review.openstack.org/330635
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=9d428206cd7326ffc29101745dc4a2b12461760f
Submitter: Jenkins
Branch: master

commit 9d428206cd7326ffc29101745dc4a2b12461760f
Author: Gyorgy Szombathelyi <email address hidden>
Date: Thu Jun 16 17:01:35 2016 +0200

    Fix the ca certificate handling in the client sessions

    The verify parameter is a 3 state parameter:
    - it can be False if disabling CA checking is requested (insecure TLS)
    - it can be set to True to check CA with the system CA bundle
    - finally the path to the CA cert can be passed which must be used to
      check the session

    The cert parameter used currently is a client certificate, which is
    obviously wrong in this case.

    Change-Id: I100163713236a6096197e011963d08e994312dcd
    Closes-Bug: #1593268

Changed in sahara:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to sahara (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/334806

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/sahara 5.0.0.0b2

This issue was fixed in the openstack/sahara 5.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara (stable/mitaka)

Reviewed: https://review.openstack.org/334806
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=e46f0c77b7bb0167d48a9be915ce5e028e44dca6
Submitter: Jenkins
Branch: stable/mitaka

commit e46f0c77b7bb0167d48a9be915ce5e028e44dca6
Author: Gyorgy Szombathelyi <email address hidden>
Date: Thu Jun 16 17:01:35 2016 +0200

    Fix the ca certificate handling in the client sessions

    The verify parameter is a 3 state parameter:
    - it can be False if disabling CA checking is requested (insecure TLS)
    - it can be set to True to check CA with the system CA bundle
    - finally the path to the CA cert can be passed which must be used to
      check the session

    The cert parameter used currently is a client certificate, which is
    obviously wrong in this case.

    Change-Id: I100163713236a6096197e011963d08e994312dcd
    Closes-Bug: #1593268
    (cherry picked from commit 9d428206cd7326ffc29101745dc4a2b12461760f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/sahara 4.1.0

This issue was fixed in the openstack/sahara 4.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.