Replace SSLSocket with JSSSocket in CLI #5021
Conversation
|
@rcritten with this update the client validate certificate but IPA is not making available the OCSP endpoint, or at least in the configuration here. For this and other problem, at moment the verification is disabled during installation and in the CA when acting as client. Could OCSP be enabled in IPA? If IPA uses pki clients for some operation this should be taken in account. |
5107263 to
07d5449
Compare
There was a problem hiding this comment.
The code changes are good, but as discussed on Slack I'm a bit concerned because some tests have to be changed to use the --ignore-... or --skip-... options, so it might cause problems for QE automation and end users as well.
I think if we know for certain that this is only affecting a limited set of scenarios (i.e. QE might need to update some tests but not all), we probably can merge it if QE is OK with that.
If this is affecting many of scenarios, I'd suggest to wait until we resolve the actual issue with revocation checking.
Alternatively, we probably can disable the revocation checking by default so the behavior is the same as before. Once we resolve the actual issue with revocation checking we can change the default.
| @@ -109,6 +109,7 @@ jobs: | |||
| # enrollment should fail | |||
| docker exec pki pki \ | |||
| -n caadmin \ | |||
| --ignore-cert-status OCSP_SERVER_ERROR \ | |||
There was a problem hiding this comment.
I'm wondering if we should set up a separate OCSP server with it's own DS so that it's not affected by CA DS shutdown which is what we're primarily trying to test here.
There was a problem hiding this comment.
I guess this could be a scenario also for IPA so it is OK to test with internal OCSP
6bca823 to
ef9f3e3
Compare
The PKIConnection is now using NonBlocckingSocketFactory as default to create a socket. The non bloking socket is built in JSSSocket.
During pkispawn some client command c 8000 ould fails because the revocation cannot be verified since the server is down. These cases have to be ignored.
With JSSSocket in the client it is possible to enable OCSP check for the certificate. If not specified it is enabled for all clients operation but it is disabled for all the client commands executed by the server. There are several scenarios where the check are failing because of the presence of other OCSP certificates. This is the case of SubCAs. For this reason it is disabled at the moment but can be disabled. An option could be to enable and making OCSP using KeyHash using the param ca.byName. To disable revocation check from pki cli it has been introduced the option `--skip-revocation-check`.
When CA is running client operation there is no revocation check on certificates. This can be enabled with the option in CS.cfg: ca.clientRevocationCheck=true The opetion can be enabled with pkispawn using the CA configuration: pki_client_verify_cert=True The default value is false
Since clients are moving to JSS which perform OCSP check by default there are situation where these need to be disabled. New option in pkispan and pki command have been added and here documented.
ef9f3e3 to
37dcd92
Compare
|
@edewata after #5026 the only problem are with the ActivityMonitor which will be fixed in other PRs. The remaining skips are related to situation where expired/revoked certificate are expected. Do we miss cases?
|
| @@ -271,6 +271,7 @@ jobs: | |||
| docker exec pki pki \ | |||
| -u caadmin \ | |||
| -w Secret.123 \ | |||
| --ignore-cert-status REVOKED_CERTIFICATE \ | |||
There was a problem hiding this comment.
Should this be EXPIRED_CERTIFICATE since we're testing with expired certs?
There was a problem hiding this comment.
This error is generated by checking the validity of temporary sslserver certificate. In line 211 above it was verified the expired sslserver and the error was EXPIRED_CERTIFICATE as expected. Then it is replaced with a temporary certificate which is valid and not revoked but all the subsystem certificates have expired, including the ocsp_signing certificate. Therefore, testing the temporary sslserver certificate it is valid and good but the validation failed because the OCSP certificate has expired. As a result the certificate is considered REVOKED because our policy is to consider the certificate revoked if validation fails.
There was a problem hiding this comment.
I think the "revoked" status is misleading since there's nothing actually revoked, but we can table that for another time. Do you mind adding your explanation as a comment above this line?
| @@ -234,6 +234,7 @@ jobs: | |||
| docker exec pki pki \ | |||
| -u caadmin \ | |||
| -w Secret.123 \ | |||
| --ignore-cert-status REVOKED_CERTIFICATE \ | |||
There was a problem hiding this comment.
Same thing, should this be EXPIRED_CERTIFICATE?
| @@ -187,7 +188,7 @@ jobs: | |||
| docker exec ipa pki nss-cert-show ipa-ca-agent | |||
|
|
|||
| # CA admin should be able to access PKI users | |||
| docker exec ipa pki -n ipa-ca-agent ca-user-find | |||
| docker exec ipa pki -n ipa-ca-agent --skip-revocation-check ca-user-find | |||
There was a problem hiding this comment.
I think we should use --ignore-cert-status EXPIRED_CERTIFICATE since we're trying to fix an expired cert. If the cert is actually revoked we do want the client to know that (i.e. the command should fail).
| == Add pki_client_verify_cert parameter == | ||
|
|
||
| A new parameter `pki_client_verify_cert` has been added to | ||
| enable/disable the certificate revocation check for the CA acting as | ||
| client. The default value is `False` which disables the check. |
There was a problem hiding this comment.
We have other pki_client_* params but they are mainly used to provide the client credentials for the admin user, so the new param could be confusing. Could we use something like pki_connector_verify_cert or pki_kra_connector_verify_cert?
| if config.str2bool(self.mdict['pki_client_verify_cert']): | ||
| subsystem.set_config('ca.clientRevocationCheck', 'true') |
There was a problem hiding this comment.
Could we use something like ca.certRevocationCheck instead to avoid confusion, or maybe move it to the connector configuration (e.g. ca.connector.KRA.certRevocationCheck)?
| #TODO: certificate not accepted with this setup | ||
| docker exec tps pki -n caadmin --ignore-banner \ | ||
| tps-user-show tpsadmin |
| @@ -277,16 +277,19 @@ jobs: | |||
|
|
|||
| - name: Check CA admin user again | |||
| run: | | |||
| #TODO: after migration the OCSPServlet is failing and has to be fixed | |||
There was a problem hiding this comment.
Is there a ticket for this issue? Could you add the link into the comment?
There was a problem hiding this comment.
It is the same problem with the AuthorityMonitor present with other containers workflows.
There was a problem hiding this comment.
I see, AuthorityMonitor is indeed not compatible with containers, but if it's disabled it's breaking other things, and we just discovered that since we're enabling revocation checking. Could you maybe change the comment like this: OCSPServlet fails since AuthorityMonitor is disabled in container?
| @@ -163,8 +165,10 @@ jobs: | |||
| sleep 60 | |||
|
|
|||
| # enrollment should work | |||
| # OCSP is not working because he authorityMonitor is disabled | |||
There was a problem hiding this comment.
I think this is another issue with AuthorityMonitor, basically if cannot be disabled without causing issues somewhere elase.
base/server/etc/default.cfg
Outdated
| @@ -384,6 +384,8 @@ pki_request_id_length=128 | |||
| pki_security_domain_setup=True | |||
| pki_registry_enable=True | |||
|
|
|||
| pki_client_verify_cert=False | |||
There was a problem hiding this comment.
I think we should disable revocation check only if it's causing a chicken and egg problem (e.g. installing CA with certs pointing to its built-in OCSP) so I'm not sure if we should apply the same default policy for all installation cases.
There was a problem hiding this comment.
I have update to true. With latest changes to default OCSP there are no problem in workflows.
37dcd92 to
2c3ba22
Compare
| @@ -277,16 +277,19 @@ jobs: | |||
|
|
|||
| - name: Check CA admin user again | |||
| run: | | |||
| #TODO: after migration the OCSPServlet is failing and has to be fixed | |||
There was a problem hiding this comment.
I see, AuthorityMonitor is indeed not compatible with containers, but if it's disabled it's breaking other things, and we just discovered that since we're enabling revocation checking. Could you maybe change the comment like this: OCSPServlet fails since AuthorityMonitor is disabled in container?
| @@ -271,6 +271,7 @@ jobs: | |||
| docker exec pki pki \ | |||
| -u caadmin \ | |||
| -w Secret.123 \ | |||
| --ignore-cert-status REVOKED_CERTIFICATE \ | |||
There was a problem hiding this comment.
I think the "revoked" status is misleading since there's nothing actually revoked, but we can table that for another time. Do you mind adding your explanation as a comment above this line?
837f774 to
96f27e3
Compare
|
| @@ -163,8 +165,10 @@ jobs: | |||
| sleep 60 | |||
|
|
|||
| # enrollment should work | |||
| # OCSP is not working because he authorityMonitor is disabled | |||
| check in situation where the OCSP server or the CRLs cannot be | ||
| accessed. | ||
|
|
||
| Alternatively, the generated error can be ignored using the option |
There was a problem hiding this comment.
Alternatively, the revocation check will still happen, but the generated error can be ignored using the option
IPA assign AIA to a dedicated host, named "ipa-ca", as described in https://pagure.io/freeipa/issue/8595. The host ipa-ca has to be an alias for the hostname to allow AIA to work properly.
The clientRevocationCheck is used only with KRA connector so it has been moved to the connector configuration and renamed as "ca.connector.KRA.certRevocationCheck". Additionally, the pkispawn parameter "pki_client_verify_cert" has been renamed as "pki_kra_connector_verify_cert".
96f27e3 to
6aeada3
Compare
The JSSSocket allows both sync and async communication used by modern framework.
The main difference when used with current clients is related to certificate verification. JSSSocket enables OCSP and CRL-DP verification. This could be a problem in some scenario where the server cannot be accessed for the verification. Although it is possible to ignore the error using the
pkioption--ignore-cert-status <status>a new option allows to skip the verification:--skip-revocation-check.The client enable the revocation check by default but there are problem when the CA act as a client to perform some operation. For this reason a new option is added,
ca.clientRevocationCheck, which default to false. This can be configured with pkispawn using the optionpki_client_verify_cert(defaultFalse).The client operations performed during
pkispawn/pkidestroyhave the revocation check disabled.An option to control the revocation check during installation and deletion, and some workflow to verify they are working, will be done in separate PR.