Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate verification fails during connection to the revocation notification webhook server #1569

Closed
ansasaki opened this issue Jul 1, 2024 · 2 comments · Fixed by #1570
Closed

Certificate verification fails during connection to the revocation notification webhook server #1569

ansasaki opened this issue Jul 1, 2024 · 2 comments · Fixed by #1570

Comments

@ansasaki
Copy link
Contributor

ansasaki commented Jul 1, 2024

Is your issue a feature request? If so, please raise it as an enhancement

Environment

  • OS / version: N/A
  • Processor architecture: N/A
  • TPM Manufacturer: N/A
  • Keylime version: current master (f88f2cc)

Description

python-requests added a regression on version 2.32.3, reported upstream via psf/requests#6730

This makes the default CA certificates to not be loaded by default during a connection, making the certificate verification to fail.

Keylime is affected by the regression as identified during investigation when the tests started failing on Fedora Rawhide and Centos Stream 10 on #1523.

Expected behavior vs. actual behavior

Expected:

  • The system installed CA certificates are loaded during a connection using python-requests

Actual:

  • The system installed CA certificates are not loaded during a connection using python-requests , leading to certificate verification failure.

Steps to reproduce problem

  1. Run the basic-attestation-with-custom-certificates from the testsuite using tmt:
$ tmt run -vvv plan -n upstream-keylime-all-tests discover -h fmf -t 'configure_tpm_emulator' -t 'install_upstream_keylime' -t 'install_rust_keylime_from_copr' -t 'basic-attestation-with-custom-certificates' prepare provision -h virtual -i Fedora-Rawhide -c system execute finish

Relevant logs

The log contains an error similar to:

Using default temp DH parameters
ACCEPT
ERROR
80B2D4BDE57F0000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:909:SSL alert number 48
ERROR
80B2D4BDE57F0000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:909:SSL alert number 48
ansasaki added a commit to ansasaki/keylime that referenced this issue Jul 1, 2024
@ansasaki
revocation_notifier: Explicitly add CA certificate bundle
6fe96fa 
This is a workaround for the regression added by `python-requests`
version `2.32.3`

Resolves: keylime#1569

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki ansasaki mentioned this issue Jul 1, 2024
Merged
THS-on pushed a commit that referenced this issue Jul 2, 2024
@ansasaki @THS-on
revocation_notifier: Explicitly add CA certificate bundle
552326a 
This is a workaround for the regression added by `python-requests`
version `2.32.3`

Resolves: #1569

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Copy link
Contributor Author

I'm reopening this as this regression was re-introduced. I was mislead into thinking the workaround where we added the default certificate bundle explicitly (#1570) was not needed anymore and dropped it as part of the PR #1566.

I'll create a new PR to re-introduce the workaround.

@ansasaki ansasaki reopened this Sep 25, 2024
@ansasaki
Copy link
Contributor Author

ansasaki commented Oct 8, 2024

I'm closing this again. After investigation, it was determined that the issue was in the test case, which was fixed via RedHat-SP-Security/keylime-tests#661.

This was caused by the removal of the symlink to the trusted certificate bundle to improve performance. Basically it will ignore CA certificates that have the same subject as a previously loaded certificate.

Related Fedora change: https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile
OpenSSL upstream discussion: openssl/openssl#25551 (comment)

@ansasaki ansasaki closed this as completed Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

revocation_notifier: Explicitly add CA certificate bundle ansasaki/keylime
1 participant
@ansasaki