-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-10.0.beta
-
None
-
keylime-7.9.0-7.el10
-
None
-
None
-
1
-
rhel-sst-security-special-projects
-
ssg_security
-
26
-
None
-
False
-
-
No
-
SECENGSP Cycle 7
-
- keylime revocation notifier should read trusted CA certificates both from system trust store and keylime configuration file.
-
Pass
-
Automated
-
Release Note Not Required
-
-
All
-
None
What were you trying to do that didn't work?
This is in fact not truly a keylime fault but due to a change in python-requests
system trust store is not taken into account when a TLS connection is initialized.
Tracked upstream as https://github.com/psf/requests/issues/6730
keylime upstream: https://github.com/keylime/keylime/issues/1569
python-requests Jira https://issues.redhat.com/browse/RHEL-45478
Please provide the package NVR for which bug is seen:
E.g. keylime-7.9.0-5.el10
but most importantly python-requests-2.32.3-1.el10
How reproducible:
Configure a webhook listener using certificate signed by CA from a system trust store.
Observe that the revocation notifier refuse to connect.
There are tests in CI that manifests this issue
Expected results
Revocation notifier reads trusted CAs from the system trust store
- links to
-
RHBA-2024:136504 keylime bug fix and enhancement update