URL: https://github.com/freeipa/freeipa/pull/734
Author: pvoborni
 Title: #734: kerberos session: use CA cert with full cert chain for obtaining 
cookie
Action: opened

PR body:
"""
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.

If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.

https://pagure.io/freeipa/issue/6876
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/734/head:pr734
git checkout pr734
From 39562bdd5bbaec74f643ccc13555cf75d95fe0e2 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Tue, 25 Apr 2017 17:19:36 +0200
Subject: [PATCH] kerberos session: use CA cert with full cert chain for
 obtaining cookie

Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.

If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.

https://pagure.io/freeipa/issue/6876
---
 ipaserver/rpcserver.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 77ed7e1..6eed815 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -602,7 +602,8 @@ def finalize_kerberos_acquisition(self, who, ccache_name, environ, start_respons
         try:
             target = self.api.env.host
             r = requests.get('http://{0}/ipa/session/cookie'.format(target),
-                             auth=NegotiateAuth(target, ccache_name))
+                             auth=NegotiateAuth(target, ccache_name),
+                             verify=paths.IPA_CA_CRT)
             session_cookie = r.cookies.get("ipa_session")
             if not session_cookie:
                 raise ValueError('No session cookie found')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to