[Pulp-list] Pulp 2.6 vs 2.8 event notifier question
Michael Hrivnak
mhrivnak at redhat.com
Wed Feb 3 12:09:05 UTC 2016
Good point. In theory there shouldn't be any sensitive information in the
POSTed data, but I can imagine some users wanting to maintain strict
guarantees that no information leaks out through a man-in-the-middle
attack. This notifier also has the option to provide username and password
credentials when doing the POST, in which case a user definitely wouldn't
want that to leak out.
Would it be sufficient for you if we added an option to that notifier to
skip cert verification, but make the default behavior to do the validation?
Michael
On Wed, Feb 3, 2016 at 1:39 AM, Partha Aji <paji at redhat.com> wrote:
>
> So katello uses pulp's http event notifiers to get information about
> operations like "sync_complete". So Katello typically configures the event
> notifiers to fire off to "https://localhost/katello/....." . In pulp 2.6
> this used to work ok, but with pulp 2.8 we get issues like ""
> Feb 1 09:51:34 katello-yoda celery: raise SSLError(e, request=request)
> Feb 1 09:51:34 katello-yoda celery: SSLError: [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
> ""
> when the notification fails. While we can try to add katello's cert to the
> central ca-trust question arises on why pulp should require this.
>
> When an app has the authority to configure an event notification to any
> url it chooses (be it http or https), why should pulp care for trusting the
> certificate of the server its notifying ?.
>
>
> Partha
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160203/12a53016/attachment.htm>
More information about the Pulp-list
mailing list