Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POST /deliveryservices/sslkeys/add accepts unrelated certificates #7046

Closed
zrhoffman opened this issue Aug 30, 2022 · 0 comments · Fixed by #7136
Closed

POST /deliveryservices/sslkeys/add accepts unrelated certificates #7046

zrhoffman opened this issue Aug 30, 2022 · 0 comments · Fixed by #7136
Labels
bug something isn't working as intended low difficulty the estimated level of effort to resolve this issue is low low impact affects only a small portion of a CDN, and cannot itself break one SSL support for/problems with SSL features Traffic Ops related to Traffic Ops

Comments

@zrhoffman
Copy link
Member

zrhoffman commented Aug 30, 2022
edited

This Bug Report affects these Traffic Control components:

  • Traffic Ops

Current behavior:

POST /api/4.1/deliveryservices/sslkeys/add accepts unrelated certificates included in the certificate.crt field

Expected behavior:

Including a certificate that is not part of the Leaf-Intermediate-Root chain should result in a response with a 400-level HTTP status code.

Steps to reproduce:

  1. Create Delivery Service 1
  2. Generate a self-signed certificate for DS 1
  3. Create Delivery Service 2
  4. Generate a self-signed certificate for DS 2
  5. Append the DS 2 certificate to the bottom of the DS 1 certificate and POST

POST /api/4.1/deliveryservices/sslkeys/add response (HTTP response status code 200):

{
  "alerts": [
    {
      "text": "WARNING: SSL keys were successfully added for 'my-delivery-service-1', but the input certificate may be invalid (certificate is signed by an unknown authority)",
      "level": "warning"
    }
  ]
}
@zrhoffman zrhoffman added bug something isn't working as intended Traffic Ops related to Traffic Ops SSL support for/problems with SSL features labels Aug 30, 2022
@shamrickus shamrickus mentioned this issue Oct 13, 2022
Merged
4 tasks
@ocket8888 ocket8888 added low impact affects only a small portion of a CDN, and cannot itself break one low difficulty the estimated level of effort to resolve this issue is low labels Oct 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug something isn't working as intended low difficulty the estimated level of effort to resolve this issue is low low impact affects only a small portion of a CDN, and cannot itself break one SSL support for/problems with SSL features Traffic Ops related to Traffic Ops
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

TO deliveryservice/sslkeys/add verify certificate chain shamrickus/trafficcontrol
2 participants
@ocket8888 @zrhoffman