Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-49601

revocation notifier do not read CA certs from the system trust store

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0.beta
    • rhel-10.0.beta
    • keylime
    • None
    • keylime-7.9.0-7.el10
    • None
    • None
    • 1
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • SECENGSP Cycle 7
      • keylime revocation notifier should read trusted CA certificates both from system trust store and keylime configuration file.
    • Pass
    • Automated
    • Release Note Not Required
    • All
    • None

      What were you trying to do that didn't work?

      This is in fact not truly a keylime fault but due to a change in python-requests

      system trust store is not taken into account when a TLS connection is initialized.

      Tracked upstream as https://github.com/psf/requests/issues/6730

      keylime upstream: https://github.com/keylime/keylime/issues/1569

      python-requests Jira https://issues.redhat.com/browse/RHEL-45478

      Please provide the package NVR for which bug is seen:

      E.g. keylime-7.9.0-5.el10

      but most importantly python-requests-2.32.3-1.el10

      How reproducible:

      Configure a webhook listener using certificate signed by CA from a system trust store.

      Observe that the revocation notifier refuse to connect.

      There are tests in CI that manifests this issue

      Expected results

      Revocation notifier reads trusted CAs from the system trust store

              ksrot@redhat.com Karel Srot
              ksrot@redhat.com Karel Srot
              Anderson Sasaki Anderson Sasaki
              Karel Srot Karel Srot
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: