You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2020/05/09 12:16:32 UTC
[GitHub] [cloudstack] artem-smotrakov opened a new pull request #4065: Enable revocation checking for uploaded certificates
artem-smotrakov opened a new pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065
## Description
This update turns on certificate revocation checking for uploaded certificates:
- Updated `CertServiceImpl` to be able to enable revocation checking.
- Introduced a new parameter `ENABLED_REVOCATION_CHECK` for `UploadSslCertCmd`.
- Updated `CertServiceTest`.
Even if no CLRs are specified via `PKIXParameters`, the certificates
themselves may still provide info for revocation checking:
- The AIA extension may contains a URL to the OCSP responder.
- The CLRDP extension contains a URL to the CLR.
Those extensions may need to be explicitly enabled by setting the system properties `com.sun.security.enableAIAcaIssuers` and `com.sun.security.enableCRLDP` to true. See [Java PKI Programmer's Guide](https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html).
Using a revoked certificate may be dangerous. One of the most common reasons why a certificate authority (CA) revokes a certificate is that the private key has been compromised. For example, the private key might have been stolen by an adversary.
If I understand correctly, the `CertServiceImpl` bean is used for operations with certificates on a load balancer. In particular, it validates a certificate chain without revocation checking while uploading a certificate. If a compromised revoked certificate is then used by the load balancer, then it may result to compromising TLS connections. However, the attacker has to be able to implement man-in-the-middle attack to compromise the connections. So the attacker has to be quite powerful. Therefore, such an attack is definitely not easy to implement. On the other hand, the impact may be significant because of loss of confidentiality.
This has been discussed on security@cloudstack.apache.org
## Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
## How Has This Been Tested?
Updated one test case and added a new one in `CertServiceTest`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626412307
<b>Trillian test result (tid-1520)</b>
Environment: xenserver-71 (x2), Advanced Networking with Mgmt server 7
Total time taken: 38292 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4065-t1520-xenserver-71.zip
Intermittent failure detected: /marvin/tests/smoke/test_scale_vm.py
Smoke tests completed. 82 look OK, 1 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_01_scale_vm | `Failure` | 19.51 | test_scale_vm.py
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626232111
@blueorangutan test matrix
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626217171
@artem-smotrakov the travis jobs often fail because of the log lengths. There is no way around that but restarting and reading the logs to make sure there is nothing in it that log. I restarted the two failed jobs.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626232159
@DaanHoogland a Trillian-Jenkins matrix job (centos7 mgmt + xs71, centos7 mgmt + vmware67, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626325155
@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + xenserver-71) has been kicked to run smoke tests
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626220413
Packaging result: ✔centos7 ✔debian. JID-1220
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-638560445
We've two lgtms and test pass, I'll merge this.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626290758
<b>Trillian test result (tid-1519)</b>
Environment: vmware-67u3 (x2), Advanced Networking with Mgmt server 7
Total time taken: 39643 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4065-t1519-vmware-67u3.zip
Smoke tests completed. 83 look OK, 0 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626325077
@blueorangutan test centos7 xenserver-71
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626217209
@blueorangutan package
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626286446
<b>Trillian test result (tid-1518)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 36981 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4065-t1518-kvm-centos7.zip
Smoke tests completed. 83 look OK, 0 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] artem-smotrakov commented on a change in pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
artem-smotrakov commented on a change in pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#discussion_r422650520
##########
File path: api/src/main/java/org/apache/cloudstack/api/command/user/loadbalancer/UploadSslCertCmd.java
##########
@@ -76,6 +76,9 @@
@Parameter(name = ApiConstants.NAME , type = CommandType.STRING, required = true, description = "Name for the uploaded certificate")
private String name;
+ @Parameter(name = ApiConstants.ENABLED_REVOCATION_CHECK, type = CommandType.BOOLEAN, description = "Enables revocation checking for certificates")
Review comment:
@DaanHoogland Do you mean `since` parameter for the `@Parameter` annotation?
```@Parameter(..., since = "4.14" ...)```
Or, do you mean `@since` in javadoc?
Which version should it be? 4.14?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on a change in pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on a change in pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#discussion_r422543192
##########
File path: api/src/main/java/org/apache/cloudstack/api/command/user/loadbalancer/UploadSslCertCmd.java
##########
@@ -76,6 +76,9 @@
@Parameter(name = ApiConstants.NAME , type = CommandType.STRING, required = true, description = "Name for the uploaded certificate")
private String name;
+ @Parameter(name = ApiConstants.ENABLED_REVOCATION_CHECK, type = CommandType.BOOLEAN, description = "Enables revocation checking for certificates")
Review comment:
can you add `@since` please?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on a change in pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on a change in pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#discussion_r422660330
##########
File path: api/src/main/java/org/apache/cloudstack/api/command/user/loadbalancer/UploadSslCertCmd.java
##########
@@ -76,6 +76,9 @@
@Parameter(name = ApiConstants.NAME , type = CommandType.STRING, required = true, description = "Name for the uploaded certificate")
private String name;
+ @Parameter(name = ApiConstants.ENABLED_REVOCATION_CHECK, type = CommandType.BOOLEAN, description = "Enables revocation checking for certificates")
Review comment:
no this one, it should be 4.15 (the `since` attribute is maybe a less confusing term for the same thing, forgive my semantic imprecision and follow up nitpicking;)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] artem-smotrakov commented on a change in pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
artem-smotrakov commented on a change in pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#discussion_r422668006
##########
File path: api/src/main/java/org/apache/cloudstack/api/command/user/loadbalancer/UploadSslCertCmd.java
##########
@@ -76,6 +76,9 @@
@Parameter(name = ApiConstants.NAME , type = CommandType.STRING, required = true, description = "Name for the uploaded certificate")
private String name;
+ @Parameter(name = ApiConstants.ENABLED_REVOCATION_CHECK, type = CommandType.BOOLEAN, description = "Enables revocation checking for certificates")
Review comment:
No problem, I've updated the code.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd merged pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
rhtyd merged pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626217372
@DaanHoogland a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] artem-smotrakov commented on pull request #4065: Enable revocation checking for uploaded certificates
Posted by GitBox <gi...@apache.org>.
artem-smotrakov commented on pull request #4065:
URL: https://github.com/apache/cloudstack/pull/4065#issuecomment-626199864
The failed jobs in Travis don't seem to be related to the update. If I understand correctly, they failed due to too many log messages. The update doesn't introduce new output.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org