Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1693962 - Insight client test connection will fail when Satellite doesn't allow SSL protocol lower than TLSv1.1 [NEEDINFO]
Summary: Insight client test connection will fail when Satellite doesn't allow SSL pro...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Insights
Classification: Red Hat
Component: Client
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: jcrafts
QA Contact: Jeff Needle
Kevin Blake
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-29 07:45 UTC by Hao Chang Yu
Modified: 2019-04-15 16:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
jcrafts: needinfo? (hyu)


Attachments (Terms of Use)

Description Hao Chang Yu 2019-03-29 07:45:08 UTC
Description of problem:

In connection.py _test_openssl method, SSL.TLSv1_METHOD is set for SSL connection. This means the insight client script will only accept TLSv1.0 connection. If the Satellite only allow TLSv1.1 and above, then connection test will fail. The client can register successfully even the test connection is failed so this give a false alarm.

        ctx = SSL.Context(SSL.TLSv1_METHOD)   <=============== Should replace with 'SSL.SSLv23_METHOD'
        if type(self.cert_verify) is not bool:
            if os.path.isfile(self.cert_verify):
                ctx.load_verify_locations(self.cert_verify, None)
            else:
                logger.error('Error: Invalid cert path: %s', self.cert_verify)
                return False


From openssl docs:

It seems like a bug for the insight client script. I think it should use the following method instead.

SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()

    These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Most applications should use these method, and avoid the version specific methods described below.

Comment 1 Hao Chang Yu 2019-03-29 07:51:34 UTC
Another issue in the _test_openssl method is the hardcoded 443 port. It should use hostname[1] when the port is set because the client can registered the the Capsule server and the Capsule server uses port 8443 as a reverse proxy to the Satellite.


    def _test_openssl(self):
        '''
        Run a test with openssl to detect any MITM proxies
        '''
        success = True
        hostname = urlparse(self.base_url).netloc.split(':')
        sock = socket.socket()
        sock.setblocking(1)
<snip>
        else:
            try:
                sock.connect((hostname[0], 443))  <======== HERE

Comment 2 Dave Johnson 2019-03-29 08:15:06 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 3 jcrafts 2019-04-15 16:01:18 UTC
Could you please rephrase the question here? I'm afraid I don't really understand. It seems like you're saying, "the connection will fail on TLSv1.2, so reduce the protocol to SSLv2.3." That sounds like the opposite of what should be done.


Note You need to log in before you can comment on or make changes to this bug.