Bug #27156
closed
Do not send CA list on client authentication
Added by Benoît PECCATTE about 2 months ago.
Updated 26 days ago.
Category:
Server components
Description
When a client tries to authenticate via TLS in the http connection, the server sends it a list of accepted CA, which can be pretty long since we don't have a proper PKI yet
Since we don't have a PKI, we store all agent certificates as CA, which makes a very long list.
When this list is sent, it can overflow the TLS connection a and make it fail with a tlsv1 alert internal error.
The solution is to use SSLCADNRequestFile to send a shorter list.
- Status changed from New to In progress
- Assignee set to Benoît PECCATTE
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/6477
- Description updated (diff)
- Status changed from Pending technical review to Pending release
- Fix check changed from To do to Error - Blocking
This breaks migration from 8.2.6 to 8.3.x with the change:
[root@server vagrant]# systemctl status apache2
Unit apache2.service could not be found.
[root@server vagrant]# systemctl status httpd
× httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Wed 2025-07-09 12:38:29 UTC; 57s ago
Duration: 25min 54.814s
Docs: man:httpd.service(8)
Process: 83463 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 83463 (code=exited, status=1/FAILURE)
Status: "Reading configuration..."
CPU: 41ms
Jul 09 12:38:29 server systemd[1]: Starting The Apache HTTP Server...
Jul 09 12:38:29 server httpd[83463]: AH00526: Syntax error on line 32 of /opt/rudder/etc/rudder-apache-relay-ssl.conf:
Jul 09 12:38:29 server httpd[83463]: SSLCADNRequestFile: file '/var/rudder/lib/ssl/policy_server.pem' does not exist or is empty
Jul 09 12:38:29 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 09 12:38:29 server systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 09 12:38:29 server systemd[1]: Failed to start The Apache HTTP Server.
Jul 09 12:38:30 server systemd[1]: httpd.service: Unit cannot be reloaded because it is inactive.
But file /var/rudder/lib/ssl/policy_server.pem exists and is not empty
on Alma 9.5 and httpd-core-2.4.62-4.el9.x86_64
WORKAROUND
So the problem is that in my case, the file /var/rudder/lib/ssl/policy_server.pem exists as a symbolic link.
Removing the link, them doing a real cp /opt/rudder/etc/ssl/agent.cert /var/rudder/lib/ssl/policy_server.pem corrected the problem.
- Related to Bug #27267: Overwrite the /var/rudder/lib/ssl/policy_server.pem when it is a symlink added
- Fix check changed from Error - Blocking to Error - Fixed
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.2.8 and 8.3.3 which were released today.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by