-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-10.0.beta
-
None
-
keylime-7.9.0-7.el10
-
No
-
None
-
1
-
rhel-sst-security-special-projects
-
ssg_security
-
26
-
None
-
False
-
-
Yes
-
SECENGSP Cycle 7
-
- keylime notifier should read trusted CA certificates both from system trust store and verifier trusted_server_ca configuration.
-
Pass
-
Automated
-
Feature
-
-
Proposed
-
None
What were you trying to do that didn't work?
When verifying the revocation notification webhook server certificate, keylime does not include the certificates provided via the 'trusted_server_ca' configuration option. Only the system installed CA certificates are used
Please provide the package NVR for which bug is seen:
keylime-7.3.0-13.el9_3.src.rpm
How reproducible:
always
Steps to reproduce
- Setup a webhook server to receive revocation notifications using TLS. For example:
$ openssl s_server -cert cert.crt -key private.pem -port 8080 &
- Add the revocation notification webhook server CA certificate to the 'trusted_server_ca' list in the verifier configuration (by modifying /etc/keylime/verifier.conf or adding a snippet in /etc/keylime/verifier.conf.d/
- Configure the verifier to send revocation notifications to the webhook by setting the following options in the configuration
enabled_revocation_notifications = ['agent', 'webhook']
webhook_url = "localhost:8080"
- Start the Keylime verifier, Keylime registrar, and Keylime agent. Enroll the agent to the verifier using the Keylime tenant. Make the agent to fail attestation by running a script not included in the runtime policy
Expected results
The verifier successfully establish a TLS connection to the revocation notification webhook server by verifying the presented certificate with the CA certificate configured via the 'trusted_server_ca' option. The revocation notification webhook server receives the revocation notification normally.
Actual results
The verifier fails to establish a TLS connection to the revocation notification webhook server due to certificate verification failure. The webhook server CA certificate added to the 'trusted_server_ca' option in the configuration is ignored.
- links to
-
RHBA-2024:136504 keylime bug fix and enhancement update