Issue #1227
Updated by rbarlow over 8 years ago
A security flaw (CVE-2015-5263) In 2.7.9+ the default SSL verification behavior switched to start validating SSL certs which stops self-signed certs from being trusted. This was discovered done through "PIP 476":https://www.python.org/dev/peps/pep-0476/. I was told in Pulp's consumer #python on Fedora that the default switch occurred in Python 2.7.9+. Fedora 22 is the first OS affected by this bug since it carries 2.7.10. Fedora 21 carries 2.7.8. To reproduce start with an empty pulp with no consumers and do the following: 1. Configure httpd to use a self-signed SSL crt management system. When 2. Verify you are have Python >= 2.7.9 by showing the version `python -V` 3. Register the pulp consumer as c1 by running: `sudo pulp-consumer CLI is used to -u admin -p admin register to --consumer-id c1` and you'll see the following output: <pre> Pulp server, it downloads a public Download server RSA key from failed [<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>] Consumer [c1] successfully registered </pre> 4. Notice that the Pulp server and stores registration did complete successfully as reported also by pulp-consumer when I run: `sudo pulp-consumer status` <pre> it locally. Later when This consumer is registered to the Pulp server sends messages [example.com] with the ID [c1]. </pre> 5. The consumer is registered but unusable. First ensure that goferd is running. 6. Now try to have the client consumer install a package by running: `pulp-admin -u admin -p admin rpm consumer package install run -n screen --consumer-id=c1` which shows: <pre> Install task created with id [ 28fdb0b6-16f0-4147-9eae-b104119b06af ] This command may be exited via ctrl+c without affecting the request. [-] a message broker Waiting to instruct it to perform commands, it will use the begin... corresponding private key </pre> 7. I had to sign restart goferd, but after doing so I saw the messages. The client checks messages were rejected because the signatures before executing the instructions rsa_key wasn't properly fetched due to ensure that the messages came from SSL error. You'll see this in the Pulp server and not from an attacker. logs on the consumer: Versions of pulp-consumer-client between 2.4.0 and 2.6.3 do not check <pre> the server's TLS certificate signatures when retrieving the server's pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) Task RMI (rejected): Rejected public key upon registration: pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) sn : 7695fedd-fb5c-45e0-adf0-1792634d23b5 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) origin : None pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) timestamp : 2015-09-02T19:30:52Z pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) user data : {'task_id': 'c844b3f6-6b67-47db-b36d-8e1d18872cf4', 'consumer_id': 'c1'} pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) rejected </pre> https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103 This allows a man is especially strange because verify_ssl = False in my config file. I expect the middle verify_ssl = False to inject their own message signing key and to then perform administrative actions on allow for the machine, if they usage of untrusted certs like self-signed certs. Here are able to send messages through the message broker. contents of my ~/.pulp/consumer.conf Austin Macdonald fixed this issue in this commit by using our <pre> pulp.bindings library as [server] verify_ssl: False </pre> Also the rest contents of our CLI does: my /etc/pulp/consumer/consumer.conf https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754 <pre> [server] host = <my hostname> port = 443 verify_ssl = False Users who do not use pulp-consumer are not affected by this issue. [authentication] [client] [filesystem] [reboot] [logging] [output] [messaging] host = <my hostname> port = 5672 [profile] </pre>