Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-51279

keylime does not require TLS between verifier and revocation notification webhook

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0.beta
    • rhel-10.0.beta
    • keylime
    • None
    • keylime-7.9.0-7.el10
    • No
    • None
    • 2
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • SECENGSP Cycle 6, SECENGSP Cycle 7
    • Removed Functionality
    • Hide
      .Keylime no longer supports HTTP for revocation notifications

      The Keylime components no longer support the HTTP protocol for revocation notification webhooks. Use HTTPS instead. As a consequence, the Keylime verifier now requires the revocation notification webhook server CA certificate. You can add it to the `trusted_server_ca` configuration option or add it to the system trust store.
      Show
      .Keylime no longer supports HTTP for revocation notifications The Keylime components no longer support the HTTP protocol for revocation notification webhooks. Use HTTPS instead. As a consequence, the Keylime verifier now requires the revocation notification webhook server CA certificate. You can add it to the `trusted_server_ca` configuration option or add it to the system trust store.
    • Done
    • None

      What were you trying to do that didn't work?

      The verifier does not enforce the use of TLS for the connection between the verifier and the revocation notification webhook when TLS is enabled in configuration.

      This means that if the webhook does not provide a certificate, the connection is established without TLS and the revocation notification is transferred in plaintext. This can be dangerous if the revocation notification includes sensitive data.

      Please provide the package NVR for which bug is seen:

      keylime-7.3.0-13.el9_3.src.rpm

      How reproducible:

      100%

      Steps to reproduce

      1. Set up a webhook without TLS to receive the revocation notifications. For testing purposes, a simple ncat is sufficient. For example:

      $ ncat --no-shutdown -k -l 8080 -c '/usr/bin/sleep 3 && echo HTTP/1.1 200 OK' -o logfile &

      1. Starting with the default configuration, configure the verifier to send revocation notifications to the webhook by setting the following options

      enabled_revocation_notifications = ['agent', 'webhook']

      webhook_url = "localhost:8080"

      1. Start the Keylime verifier, Keylime registrar, and Keylime agent. Enroll the agent to the verifier using the Keylime tenant. Make the agent to fail attestation by running a script that is not included in the runtime policy

      Expected results

      The connection between the verifier and the webhook should not be established due to lack of server certificate. The webhook server should not receive the revocation notification.

      Actual results

      The connection is established without TLS and the server receives the revocation notification.

              ksrot@redhat.com Karel Srot
              ansasaki@redhat.com Anderson Sasaki
              Anderson Sasaki Anderson Sasaki
              Karel Srot Karel Srot
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: