Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1060717 - vdsm does not validate certficate hostname from another vdsm.
Summary: vdsm does not validate certficate hostname from another vdsm.
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: General
Version: ---
Hardware: Unspecified
OS: Unspecified
medium vote
Target Milestone: ---
: ---
Assignee: Yaniv Bronhaim
QA Contact: Jiri Belka
Depends On:
TreeView+ depends on / blocked
Reported: 2014-02-03 12:53 UTC by Alon Bar-Lev
Modified: 2017-12-22 07:44 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2017-08-17 10:18:21 UTC
oVirt Team: Infra
ybronhei: ovirt-4.2?
ylavi: planning_ack?
ylavi: devel_ack?
lsvaty: testing_ack+

Attachments (Terms of Use)

Description Alon Bar-Lev 2014-02-03 12:53:24 UTC
when engine communicate using TLS/SSL with vdsm it should validate certificate subject name against destination address.

currently this is not performed.

for some reason apache http client is used instead of standard j2se classes.

please add host validation to this implementation.

                // provides client authentication.
                ProtocolSocketFactory factory = new AuthSSLProtocolSocketFactory(EngineEncryptionUtils.getKeyManagers(),
                Protocol clientAuthHTTPS = new Protocol("https", factory, 54321);
                Protocol.registerProtocol("https", clientAuthHTTPS);

Comment 1 Alon Bar-Lev 2014-02-03 20:35:35 UTC
While we at it, the following should also be validated:

1. certificate validFrom is honored.

2. certificate validTo is honored.

3. certificate key usage is honored, must have digitalSignature or keyEncipherment.

4. extended key usage is honored if exists, must contain TLS Web Server Authentication.

Comment 2 Alon Bar-Lev 2014-06-12 15:35:35 UTC
see bug#1060215 comment#10 as well.

Comment 3 Alon Bar-Lev 2014-06-12 17:52:22 UTC
need to fix vdsClient.
need to fix vdsm<->vdsm.

Comment 4 Alon Bar-Lev 2014-10-07 08:38:21 UTC
this applies as well to the new json rpc implementation.

Comment 5 Wade Mealing 2014-10-20 06:17:23 UTC
Gday Alon,

Unless this has been assigned elsewhere I need to assign a CVE number to this issue.

Do these issues all come from the same library / code in the vdsm repo or does affect multiple components ?

Comment 6 Alon Bar-Lev 2014-10-20 06:28:04 UTC
this is per ovirt-engine implementation.
probably also within vdsm implementation when communicate vdsm->vdsm.
so you can open it on both.

but provided the pki features that are not in use, for example revocation, I do not consider the PKI interaction with vdsm as anything else bug long password, the protocol could have just relayed on random key generated at install time and used for authentication.

Comment 7 Sandro Bonazzola 2015-09-04 08:59:52 UTC
This is an automated message.
This Bugzilla report has been opened on a version which is not maintained anymore.
Please check if this bug is still relevant in oVirt 3.5.4.
If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution)
If it's an RFE please update the version to 4.0 if still relevant.

Comment 8 Red Hat Bugzilla Rules Engine 2015-10-19 11:01:49 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Note You need to log in before you can comment on or make changes to this bug.