OCS Inventory: Unified Unix Agent

Mac OS X agent doesn't validate server certificate for inventory upload

Bug #1056062 reported by Cyrille Bollu on 2012-09-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OCS Inventory: Unified Unix Agent	In Progress	Medium	mortheres

Bug Description

======= CONFIG START =========
Mac OS X 2.0 beta4 agent installed

cat /etc/ocsinventory-agent/ocsinventory-agent.cfg
server=https://<server>/ocsinventory
debug=1
========CONFIG END ==========

======= STEPS TO REPRODUCE START =========
1- delete file /private/var/lib/ocsinventory-agent/<server_uri>/cacert.pem
2- start the ocsinventory agent
3- see with tcpdump/wireshark that ocsinventory agent hapilly sends its inventory over HTTPS

Optionaly

4- deploy a package to the Mac OS X agent
5 - see the "ERR_DOWNLOAD_INFO" status
======= STEPS TO REPRODUCE END =========

======= GREETINGS START =========
Cheers guys!

and thanks for this OSS
======= GREETINGS END =========

Frank (frank-bourdeau) on 2012-09-25

Changed in ocsinventory-unix-agent:
importance:	Undecided → Medium
assignee:	nobody → mortheres (mortheres)

Revision history for this message

Cyrille Bollu (cyrille-bollu) wrote on 2012-09-26:

After further investigation with a PKI expert, we have come to the following conclusion:

1- It is normal that ocsinventory-agent can send its inventory without a local copy of the server's certificate validation chain (the so-called "cacert.pem") because (1) we are not using a self-signed certificate, and (2) Apache is configured to send the certificate validation chain to the client upon connection. With this configuration, the agent validates the certificate validation chain given by Apache up until the root certificate which is part of the OS.
2- For the same reasons, ocsinventory-agent should be able to download packages without a local copy of the server's certificate. We assume there's a bug in the part of the code doing the download.

These conclusions hold only for the Unified Unix Agent; We don't know how ocsinventory-agent behaves under Windows.

HTH,

Cyrille

Revision history for this message

mortheres (mortheres) wrote on 2013-04-02:

Hi Cyrille,

Thanks for your reports. In OCS 2.1 RC1 relase (which coming tomorrow :) :)), we add a new "ca" configuration option to specify a path for the cacert.pem file that will be used for both https communication and packages download.

Can you try using the 2.1RC1 agent by a adding a line like this in your /etc/ocsinventory-agent/ocsinventory-agent.cfg file ?

ca=/some/path/where/you/wan/cacert.pem

Kind regards,

--
Guillaume

Changed in ocsinventory-unix-agent:
status:	New → In Progress

Revision history for this message

Cyrille Bollu (cyrille-bollu) wrote on 2013-04-03:

Salut,

je voulais faire le test aujourd'hui mais apparement il faut que j'upgrade le serveur OCSI aussi qui n'est pas encore disponible.

Ca va devoir attendre après mes vacances alors.

Désolé,

Cyr

Revision history for this message

Frank (frank-bourdeau) wrote on 2015-04-01:

Salut

Des news concernant ce bug?

Cordialement

Frank

Revision history for this message

Cyrille Bollu (cyrille-bollu) wrote on 2015-04-02:

Hello,

Merci pour ton suivi.

Mais, en fait, le titre de ce bug est un peu incorrect, et la proposition de mortheres ne répond pas au vrai problème que l'on suppose.

En fait, on pense que, dans notre cas, l'agent ocsi ne devrait pas avoir besoin d'une copie du certificat du serveur car notre serveur utilise un certificat signé par TERENA (et UTN-USERFirst-Hardware encore au-dessus) et qu'il est configuré pour envoyer toute la chaine certifiante aux clients lors de leurs connexions (option SSLCertificateChainFile du serveur Apache).

Avec, cette config, l'agent est censé récupérer le certificat du serveur ainsi que toute la chaine certifiante (jusqu'à UTN-USERFirst-Hardware) à chaque connexion, et est donc capable de valider l'identité du serveur sans en avoir une copie en local.

Ce semble bien être le cas pour la partie inventaire de l'agent mais pas pour la partie download.

Bien à toi,

Cyrille

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.