Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kerberos session: use CA cert with full cert chain for obtaining cookie #734

Closed
wants to merge 1 commit into from
Closed

kerberos session: use CA cert with full cert chain for obtaining cookie #734

wants to merge 1 commit into from

Conversation

pvoborni
Copy link
Member

@pvoborni pvoborni commented Apr 26, 2017
edited by MartinBasti

Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.

If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.

https://pagure.io/freeipa/issue/6876

@pvoborni
kerberos session: use CA cert with full cert chain for obtaining cookie
39562bd 
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.

If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.

https://pagure.io/freeipa/issue/6876
@MartinBasti MartinBasti self-assigned this May 2, 2017
@MartinBasti MartinBasti added the ack Pull Request approved, can be merged label May 2, 2017
@MartinBasti
Copy link
Contributor

master:

  • c19196a kerberos session: use CA cert with full cert chain for obtaining cookie

ipa-4-5:

  • 82679c1 kerberos session: use CA cert with full cert chain for obtaining cookie

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label May 2, 2017
@MartinBasti MartinBasti closed this May 2, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@MartinBasti MartinBasti

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@pvoborni @MartinBasti