Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refs #33496 - set the peers host name to be able to verify it #9643

Merged
merged 1 commit into from Sep 16, 2021
Merged

Refs #33496 - set the peers host name to be able to verify it #9643

merged 1 commit into from Sep 16, 2021

Conversation

evgeni
Copy link
Member

@evgeni evgeni commented Sep 16, 2021

instead of not checking the name in the cert, correctly set it, so that
it actually can be verified

I have no idea why qpid_proton doesn't automatically parse this from the
URL.

@evgeni evgeni mentioned this pull request Sep 16, 2021
Closed
@evgeni
Copy link
Member Author

evgeni commented Sep 16, 2021

FWIW, I've opened https://issues.apache.org/jira/browse/PROTON-2434

ekohl
ekohl reviewed Sep 16, 2021
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no minimum version on the gem:

katello/katello.gemspec

Line 40 in 4e80f88

gem.add_dependency "qpid_proton"

Should there be? I think it'd be nice to guarantee certificate verification. I think that either means setting 0.35 as a minimum version or explicitly enabling peer authentication, right?

@evgeni
Copy link
Member Author

evgeni commented Sep 16, 2021

Should there be? I think it'd be nice to guarantee certificate verification. I think that either means setting 0.35 as a minimum version or explicitly enabling peer authentication, right?

Yeah, on 0.34 this would be silently ignored, as it defaults to ANONYMOUS_PEER. Forcing 0.35 just because of that seems silly.
Setting VERIFY_PEER_NAME explicitly sounds good.

@jturel what'cha think?

@evgeni
Copy link
Member Author

evgeni commented Sep 16, 2021

On the other hand, we're updating all stable branches to 0.35 anyways, so 🤷‍♀️

@jturel jturel self-assigned this Sep 16, 2021
@jturel
Copy link
Member

jturel commented Sep 16, 2021

Considering we're seeing default behavior change, +1 to setting VERIFY_PEER_NAME explicitly and not including a min gem version

@evgeni
Refs #33496 - set the peers host name to be able to verify it
1932a18 
instead of not checking the name in the cert, correctly set it, so that
it actually can be verified

I have no idea why qpid_proton doesn't automatically parse this from the
URL.

also explicitly ask for VERIFY_PEER_NAME so that it validates on 0.34 too
@evgeni
Copy link
Member Author

evgeni commented Sep 16, 2021

Considering we're seeing default behavior change, +1 to setting VERIFY_PEER_NAME explicitly and not including a min gem version

Updated.

@ekohl
Copy link
Member

ekohl commented Sep 16, 2021

Is this now a separate Redmine issue? Other than that 👍

jturel
jturel approved these changes Sep 16, 2021
View reviewed changes
Copy link
Member

@jturel jturel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APJ

@jturel
Copy link
Member

jturel commented Sep 16, 2021

Is this now a separate Redmine issue? Other than that

I'm good as-is. The redmine could be renamed to reflect the evolution perhaps

@evgeni
Copy link
Member Author

evgeni commented Sep 16, 2021

🥦

@jturel jturel merged commit 28a8287 into Katello:master Sep 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl left review comments

@jturel jturel jturel approved these changes

Assignees

@jturel jturel

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@evgeni @jturel @ekohl