Details
-
Type:
Story
-
Status: Open
-
Priority:
Medium
-
Resolution: Unresolved
-
Affects Version/s: 3.15.0
-
Fix Version/s: None
-
Component/s: Built-in functions, cf-agent, function: url_get()
-
Labels:None
Description
Running 3.15.0 on an opensuse host I had issues querying some https host.
It would be nice if I could specify the CAfile and CApath or simply choose to disable certificate checking.
opensuse15:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="15.2 Alpha" ID="opensuse-leap" ID_LIKE="suse opensuse" VERSION_ID="15.2" PRETTY_NAME="openSUSE Leap 15.2 Alpha" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:leap:15.2" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/"
I set url.verbose to 1 and I saw the problem was in setting the certificate verify locations.
opensuse15:~ # cf-agent -KIb lynis:main --define DEBUG --show-evaluated-vars > /tmp/out Trying 37.97.194.171:443... TCP_NODELAY set Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0) ALPN, offering http/1.1 error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none Closing connection 0 opensuse15:~ #
I think that I should be able to set those paths using options. To get it working I had to symlink things to the expected location.
opensuse15:~ # ls /etc/ssl/ -al total 28 drwxr-xr-x 1 root root 142 Dec 22 18:38 . drwxr-xr-x 1 root root 4392 Dec 22 21:10 .. lrwxrwxrwx 1 root root 38 Sep 20 15:42 ca-bundle.pem -> /var/lib/ca-certificates/ca-bundle.pem lrwxrwxrwx 1 root root 28 Sep 20 15:42 certs -> /var/lib/ca-certificates/pem -rw-r--r-- 1 root root 412 Dec 6 09:59 ct_log_list.cnf -rw-r--r-- 1 root root 412 Dec 6 09:59 ct_log_list.cnf.dist -rw-r--r-- 1 root root 10909 Dec 6 09:59 openssl.cnf drwx------ 1 root root 0 Dec 6 09:59 private mkdir -p /etc/pki/tls/certs/ ln -s /var/lib/ca-certificates/ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt
That got me further.
opensuse15:~ # cf-agent -KIb lynis:main --define DEBUG --show-evaluated-vars > /tmp/out * Trying 37.97.194.171:443... * TCP_NODELAY set * Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=*.cisofy.com * start date: Mar 2 00:00:00 2018 GMT * expire date: Mar 22 12:00:00 2020 GMT * subjectAltName: host "downloads.cisofy.com" matched cert's "*.cisofy.com" * issuer: C=NL; O=Trust Provider B.V.; OU=Domain Validated SSL; CN=Trust Provider B.V. TLS RSA CA G1 * SSL certificate verify ok. > GET /lynis/lynis-2.7.5.tar.gz HTTP/1.1 Host: downloads.cisofy.com Accept: */* * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Server: nginx < Date: Thu, 27 Feb 2020 17:56:38 GMT < Content-Type: application/octet-stream < Content-Length: 288688 < Last-Modified: Mon, 24 Jun 2019 13:56:27 GMT < Connection: keep-alive < ETag: "5d10d68b-467b0" < Expires: Thu, 12 Mar 2020 17:56:38 GMT < Cache-Control: max-age=1209600 < Cache-Control: public < Vary: Accept-Encoding < Accept-Ranges: bytes < * Connection #0 to host downloads.cisofy.com left intact * Trying 37.97.194.171:443... * TCP_NODELAY set * Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=*.cisofy.com * start date: Mar 2 00:00:00 2018 GMT * expire date: Mar 22 12:00:00 2020 GMT * subjectAltName: host "downloads.cisofy.com" matched cert's "*.cisofy.com" * issuer: C=NL; O=Trust Provider B.V.; OU=Domain Validated SSL; CN=Trust Provider B.V. TLS RSA CA G1 * SSL certificate verify ok. > GET /lynis/lynis-2.7.5.tar.gz HTTP/1.1 Host: downloads.cisofy.com Accept: */* fi* Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Server: nginx < Date: Thu, 27 Feb 2020 17:56:40 GMT < Content-Type: application/octet-stream < Content-Length: 288688 < Last-Modified: Mon, 24 Jun 2019 13:56:27 GMT < Connection: keep-alive < ETag: "5d10d68b-467b0" < Expires: Thu, 12 Mar 2020 17:56:40 GMT < Cache-Control: max-age=1209600 < Cache-Control: public < Vary: Accept-Encoding < Accept-Ranges: bytes < le * Connection #0 to host downloads.cisofy.com left intact
Unfortunately, I still couldn't cross the finish line with what I was attempting. I was trying to use url_get() to download a tar.gz, but I couldn't figure out how to write the binary data in url_get() content response to disk correctly. Which is why I think we still need CFE-1627.
Attachments
Issue Links
- relates to
-
CFE-1627 Support for http/ftp (or other URI patters) in copy_from
-
- Open
-