[Pulp-list] Pulp 2.6 vs 2.8 event notifier question

Eric Helms ehelms at redhat.com
Wed Feb 3 13:51:36 UTC 2016 

Howdy, 

In the case where verification is occurring, how does a user who does not have access to the box Pulp is on, give Pulp the proper certificate so that Pulp can verify the URL being hit? 

Eric 

----- Original Message -----

> From: "Michael Hrivnak" <mhrivnak at redhat.com>
> To: "Partha Aji" <paji at redhat.com>
> Cc: "pulp-list" <pulp-list at redhat.com>
> Sent: Wednesday, February 3, 2016 7:09:05 AM
> Subject: Re: [Pulp-list] Pulp 2.6 vs 2.8 event notifier question

> Good point. In theory there shouldn't be any sensitive information in the
> POSTed data, but I can imagine some users wanting to maintain strict
> guarantees that no information leaks out through a man-in-the-middle attack.
> This notifier also has the option to provide username and password
> credentials when doing the POST, in which case a user definitely wouldn't
> want that to leak out.

> Would it be sufficient for you if we added an option to that notifier to skip
> cert verification, but make the default behavior to do the validation?

> Michael

> On Wed, Feb 3, 2016 at 1:39 AM, Partha Aji < paji at redhat.com > wrote:

> > So katello uses pulp's http event notifiers to get information about
> > operations like "sync_complete". So Katello typically configures the event
> > notifiers to fire off to " https://localhost/katello/.... ." . In pulp 2.6
> > this used to work ok, but with pulp 2.8 we get issues like ""
> 
> > Feb 1 09:51:34 katello-yoda celery: raise SSLError(e, request=request)
> 
> > Feb 1 09:51:34 katello-yoda celery: SSLError: [SSL:
> > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
> 
> > ""
> 
> > when the notification fails. While we can try to add katello's cert to the
> > central ca-trust question arises on why pulp should require this.
> 

> > When an app has the authority to configure an event notification to any url
> > it chooses (be it http or https), why should pulp care for trusting the
> > certificate of the server its notifying ?.
> 

> > Partha
> 

> > _______________________________________________
> 
> > Pulp-list mailing list
> 
> > Pulp-list at redhat.com
> 
> > https://www.redhat.com/mailman/listinfo/pulp-list
> 

> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160203/1870f757/attachment.htm>

More information about the Pulp-list mailing list