Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check/warn if incorrect cert being used to encrypt messages #160

Closed
tofu-rocketry opened this issue Apr 7, 2021 · 4 comments · Fixed by #322
Closed

Check/warn if incorrect cert being used to encrypt messages #160

tofu-rocketry opened this issue Apr 7, 2021 · 4 comments · Fixed by #322
Assignees
@Will-Cross1
Labels
enhancement GGUS Has a related GGUS ticket
Milestone
3.4.1

Comments

@tofu-rocketry
Copy link
Member

tofu-rocketry commented Apr 7, 2021
edited
Loading

From GGUS.

Would be useful if a client SSM could check if messages are being encrypted by a cert that's actually used by the central server that'll be eventually receiving the messages.

Might need to be able to fetch a DN from GOCDB.
@tofu-rocketry tofu-rocketry added enhancement GGUS Has a related GGUS ticket labels Apr 7, 2021
@gregcorbett

This comment has been minimized.

Sign in to view
@tofu-rocketry

This comment has been minimized.

Sign in to view
@tofu-rocketry
Copy link
Member Author

To avoid having to fetch anything, we could just add a list of default host DNs that the cert should be for (i.e. the apel prod and pre-prod hosts) and have a config setting that can disable that check if really needed (e.g. regional servers) or override what host the DN can be for.

@tofu-rocketry
Copy link
Member Author

Or just check it's not the host's own cert being used as that's what usually ends up happening.

Will-Cross1 added a commit to Will-Cross1/ssm that referenced this issue Apr 10, 2024
@Will-Cross1
Resolved apel#160
9b7e4db 
now checks wether the host cert is the same as server cert for sender
if it is then an error message is given

added sender_failed = True to an exception to properly show it failed
@Will-Cross1 Will-Cross1 mentioned this issue Apr 10, 2024
Merged
Will-Cross1 added a commit to Will-Cross1/ssm that referenced this issue Apr 10, 2024
@Will-Cross1
Resolved apel#160
677c957 
now checks wether the host cert is the same as server cert for sender
if it is then an error message is given

added sender_failed = True to an exception to properly show it failed
@tofu-rocketry tofu-rocketry added this to the 3.4.1 milestone Apr 10, 2024
tofu-rocketry pushed a commit that referenced this issue Apr 10, 2024
@Will-Cross1 @tofu-rocketry
Resolved #160
34e16d4 
now checks wether the host cert is the same as server cert for sender
if it is then an error message is given

added sender_failed = True to an exception to properly show it failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Will-Cross1 Will-Cross1

Labels
enhancement GGUS Has a related GGUS ticket
Milestone
3.4.1
3 participants
@gregcorbett @tofu-rocketry @Will-Cross1