Actions
Bug #27156
open
Do not send CA list on client authentication
Status:
Pending release
Priority:
N/A
Assignee:
Category:
Server components
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
When a client tries to authenticate via TLS in the http connection, the server sends it a list of accepted CA, which can be pretty long since we don't have a proper PKI yet
Since we don't have a PKI, we store all agent certificates as CA, which makes a very long list.
When this list is sent, it can overflow the TLS connection a and make it fail with a tlsv1 alert internal error.
The solution is to use SSLCADNRequestFile to send a shorter list.
Updated by Benoît PECCATTE 2 days ago
- Status changed from New to In progress
- Assignee set to Benoît PECCATTE
Updated by Benoît PECCATTE 2 days ago
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/6477
Updated by Benoît PECCATTE about 12 hours ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|9abff1b8b633f8472343d45795122a78940a23f4.
Actions