Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
tls: sni hostname is not verified #6212
Because osquery does not correctly verify the TLS SNI hostname, it may be possible to present a valid certificate for a different TLS endpoint and, in the absence of a configured root chain of trust in osquery, MitM osquery traffic.
What operating system and version are you using?
This bug impacts all operating systems leveraging the TLS plugin
What version of osquery are you using?
This bug looks to impact versions of osquery >= 2.10.0 through 4.1.2
What steps did you take to reproduce the issue?
What did you expect to see?
What did you see instead?
TLS Results and requests are successfully processed.
As an update, it looks like #6170 is going to bring a lot of our python integration testing for the TLS communications online. I'm going to hold off on building anything heavy until that ships. Once it's landed we should be able to tweak some of those tests to replicate this bug, and then #6197 should have some decent testing enabled for it and we can close this out!