Can I get any +1s? Explanation is in the commit message.
commit 934cbf8d70d52a7819ae4af575f04bdf70cdcd0c Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Nov 11 23:38:41 2016 +0000
Fix koji client cert authentication with OpenSSL 1.1.0
Turns out that renegotiation is broken in OpenSSL 1.1.0, so we allow clients to send their certificates (but not require them) from the very first connection on, so that they don't have to renegotiate.
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com
diff --git a/roles/koji_hub/templates/kojihub.conf.j2 b/roles/koji_hub/templates/kojihub.conf.j2 index 01e6f1b..f39ee34 100644 --- a/roles/koji_hub/templates/kojihub.conf.j2 +++ b/roles/koji_hub/templates/kojihub.conf.j2 @@ -24,6 +24,7 @@ Alias /kojifiles "/mnt/koji/" </Directory> {% endif %}
+SSLVerifyClient optional <Location /kojihub/ssllogin> SSLVerifyClient require SSLVerifyDepth 10
+!
On 11 November 2016 at 18:41, Patrick Uiterwijk puiterwijk@redhat.com wrote:
Can I get any +1s? Explanation is in the commit message.
commit 934cbf8d70d52a7819ae4af575f04bdf70cdcd0c Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Nov 11 23:38:41 2016 +0000
Fix koji client cert authentication with OpenSSL 1.1.0 Turns out that renegotiation is broken in OpenSSL 1.1.0, so we allow clients to send their certificates (but not require them) from the very first connection on, so that they don't have to renegotiate. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/koji_hub/templates/kojihub.conf.j2 b/roles/koji_hub/templates/kojihub.conf.j2 index 01e6f1b..f39ee34 100644 --- a/roles/koji_hub/templates/kojihub.conf.j2 +++ b/roles/koji_hub/templates/kojihub.conf.j2 @@ -24,6 +24,7 @@ Alias /kojifiles "/mnt/koji/"
</Directory> {% endif %}
+SSLVerifyClient optional <Location /kojihub/ssllogin> SSLVerifyClient require SSLVerifyDepth 10 _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
+1 if it's still needed.
P
On Fri, Nov 11, 2016 at 11:50 PM, Kevin Fenzi kevin@scrye.com wrote:
+1
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1393579 FYI
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
infrastructure@lists.fedoraproject.org