Project

General

Custom queries

Profile

Actions
Copy link

Bug #27156

open

Do not send CA list on client authentication

Added by Benoît PECCATTE 16 days ago. Updated 1 day ago.

Status:
Pending release
Priority:
N/A
Assignee:
Alexis Mousset
Category:
Server components
Target version:
8.2.8
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Error - Blocking
Regression:
No

Description

When a client tries to authenticate via TLS in the http connection, the server sends it a list of accepted CA, which can be pretty long since we don't have a proper PKI yet

Since we don't have a PKI, we store all agent certificates as CA, which makes a very long list.
When this list is sent, it can overflow the TLS connection a and make it fail with a tlsv1 alert internal error.

The solution is to use SSLCADNRequestFile to send a shorter list.

Subtasks 2 (2 open0 closed)

Bug #27174: CA list is not initialized at installationPending releaseAlexis MoussetActions
Bug #27254: Apache refuses to start when /var/rudder/lib/ssl/policy_server.pem is a symlinkPending releaseFrançois ARMANDActions
Actions
Copy link
 #2

Updated by Benoît PECCATTE 16 days ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder/pull/6477
Actions
Copy link
 #4

Updated by Benoît PECCATTE 15 days ago

  • Status changed from Pending technical review to Pending release
Actions
Copy link
 #6

Updated by François ARMAND 1 day ago · Edited

  • Fix check changed from To do to Error - Blocking

This breaks migration from 8.2.6 to 8.3.x with the change:

[root@server vagrant]# systemctl status apache2
Unit apache2.service could not be found.
[root@server vagrant]# systemctl status httpd
× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Wed 2025-07-09 12:38:29 UTC; 57s ago
   Duration: 25min 54.814s
       Docs: man:httpd.service(8)
    Process: 83463 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 83463 (code=exited, status=1/FAILURE)
     Status: "Reading configuration..." 
        CPU: 41ms

Jul 09 12:38:29 server systemd[1]: Starting The Apache HTTP Server...
Jul 09 12:38:29 server httpd[83463]: AH00526: Syntax error on line 32 of /opt/rudder/etc/rudder-apache-relay-ssl.conf:
Jul 09 12:38:29 server httpd[83463]: SSLCADNRequestFile: file '/var/rudder/lib/ssl/policy_server.pem' does not exist or is empty
Jul 09 12:38:29 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 09 12:38:29 server systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 09 12:38:29 server systemd[1]: Failed to start The Apache HTTP Server.
Jul 09 12:38:30 server systemd[1]: httpd.service: Unit cannot be reloaded because it is inactive.

But file /var/rudder/lib/ssl/policy_server.pem exists and is not empty

on Alma 9.5 and httpd-core-2.4.62-4.el9.x86_64

Actions
Copy link
 #7

Updated by François ARMAND 1 day ago

WORKAROUND

So the problem is that in my case, the file /var/rudder/lib/ssl/policy_server.pem exists as a symbolic link.
Removing the link, them doing a real cp /opt/rudder/etc/ssl/agent.cert /var/rudder/lib/ssl/policy_server.pem corrected the problem.

Actions
Copy link

Also available in: Atom PDF