The version of OpenSSL available for use with RHEL5+ contains a BUG which fails to function properly with a tls_checkpeer method against a FreeIPA server using a cert from DogTag.
openssl s_client -connect hostname.example.com:636 -showcerts -CApath /etc/ipa/ca.crt ^ Incorrectly reports the Certificate is valid, while nss_ldap, pam_ldap, and sudo all fail to verify the certificate requiring that tls_checkpeer be set to 'no'.
Other users discuss the bug present in this mailing list thread: http://web.archiveorange.com/archive/v/Gs2Fr1jGgypmPzWv26Hn#hhbTEmv0a6lgBxD
I will be opening a Redhat bug for this and will link it once it is created.
This ticket is reflected by the Redhat bug here: https://bugzilla.redhat.com/show_bug.cgi?id=676384
This effects All of RHEL5.x but not Rhel6. RHEL6 ships with OpenSSL 1.x i believe.
-- RHEL BUG TICKET DETAILS --
Tomas Mraz 2011-02-11 03:36:30 EST The algorithms have to be added into the SSL_library_init() call. A workaround is to run OpenSSL_add_all_algorithms() before SSL_library_init() in the caller.
The OpenSSL client tests also seem to inaccurately verify the cert as valid even though the other programs using the OpenSSL libraries fail. This is exactly because the openssl commands always call OpenSSL_add_all_algorithms in addition to the SSL_library_init() call. [reply] [-] Comment 9 Tomas Mraz 2011-03-07 13:01:23 EST Created attachment 482750 [details] Patch adding the SHA-2 algorithms to SSL_library_init
Per Rohith Suresh, The fix for the bug is proposed to be released in RHEL 5.7
Looks like it will be fixed in RHEL 5.7, closing the IPA side, there is nothing for us to do here.
Metadata Update from @jraquino: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.1 - 2011/08 (Final)
Log in to comment on this ticket.