Univention Bugzilla – Full Text Bug Listing |
Summary: | Servercertificate is revoked and new generated if a Memberserver is moved in the ldap directory | ||
---|---|---|---|
Product: | UCS | Reporter: | Christina Scheinig <scheinig> |
Component: | SSL | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | normal | ||
Priority: | P5 | CC: | birkefeld, gohmann, grandjean, hahn, stephan.hendl |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=34285 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 3: Simply Wrong: The implementation doesn't match the docu |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.069 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2016050921000325 | Bug group (optional): | External feedback |
Max CVSS v3 score: |
Description
Christina Scheinig
2016-05-10 08:52:21 CEST
In addition:
The revoking also updates the CRL. Any service checking the CRL will now refuse to connect to the memberserver who still uses the old (now revoked) certificate.
I guess this applies to all computer objects matching the filter in gencertificate.py:
> filter = '(|' + \
> '(objectClass=univentionDomainController)' + \
> '(objectClass=univentionClient)' + \
> '(objectClass=univentionMobileClient)' + \
> '(objectClass=univentionCorporateClient)' + \
> '(objectClass=univentionMemberServer))'
(In reply to Michael Grandjean from comment #1) > The revoking also updates the CRL. Any service checking the CRL will now > refuse to connect to the memberserver who still uses the old (now revoked) > certificate. Yes, e. g. IE 11 checks the CRL by default if there is a CRL distribution point configured in the certificate. And we felt in that trap... Currently no CRL-Distribution-Point is configured by default. Bug #34285 The bug is in univention-ssl/gencertificate.py which does not handle moves. r70649 | Bug #41230 ssl: Handle moved computer LDAP entries r70648 | Bug #41230 ssl: Move UID/GID loading code r70647 | Bug #41230 ssl: Refactor common domain code r70646 | Bug #41230 ssl: Check server role earliest r70645 | Bug #41230 ssl: Fix switched debug output r70644 | Bug #41230 SSL: autopep8 Package: univention-ssl Version: 10.0.0-15.172.201606271746 Branch: ucs_4.1-0 Scope: errata4.1-2 univention-ssl.yaml r70657 | Bug #41230 test: Check moved host keeps SSL certificate ucs-test/tests/66_udm-computers/53_move_computer_ssl Package: ucs-test Version: 6.0.33-78.1492.201606271846 Branch: ucs_4.1-0 Scope: errata4.1-2 Tests: OK Code review: OK Advisory: OK, added missing bug number. r71101 |