1543 emptry crl file fails http tpc pull transfer #1547
Conversation
|
Does this actually fix #1543 though? In the last comment there, you mention it fails if the CRL file is non-empty and contains no valid CRLs. Shouldn't we use some of the internal XRootD routines to parse the file and see if there's one CRLs present? |
|
Yes, this is something to conisder. However, we should also make sure that
malicious injection of an empty/invalid CRL file does not completely
eliminate CRL checking for all time. This is a big security loophole. As
much as I dislike CRL's they do serve a purpose. So, the solution is not
completely simple.
…On Tue, 2 Nov 2021, Brian P Bockelman wrote:
Does this actually fix #1543 though? In the last comment there, you mention it fails if the CRL file is non-empty and contains no valid CRLs. Shouldn't we use some of the internal XRootD routines to parse the file and see if there's one CRLs present?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#1547 (comment)
|
This is a file periodically generated by XRootD in the admin directory. I figure if the attacker owns the admin directory, then it's already game over. It's also an aggregate of all CRLs available - if the attacker controls all your CRLs, then it's probably also game over. |
|
Agreed, but a periodic message that the system is constantly turning off
CRL checking because it keeps encountering an invalid CRL file would be a
good idea.
…On Tue, 2 Nov 2021, Brian P Bockelman wrote:
> However, we should also make sure that malicious injection of an empty/invalid CRL file does not completely eliminate CRL checking for all time
This is a file periodically generated by XRootD in the admin directory. I figure if the attacker owns the admin directory, then it's already game over.
It's also an aggregate of all CRLs available - if the attacker controls all your CRLs, then it's probably also game over.
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#1547 (comment)
|
|
Indeed, that's a fantastic idea! I expect this to be a pretty rare occurrence so a warning message seems warranted. @ccaffy - does this sound good to you? |
|
Hi all, thanks for your comments! To sum things up, you would like to disable the CRL checking and display a warning message if there is at least one wrong CRL encountered during the CRL processing? That's sounds a good plan to me :) |
I thought that checking that the aggregated-CRL file is not empty would be sufficient as curl already checks the validity of its content. In my opinion, failing a transfer due to an empty CRL file is not acceptable, but failing a transfer due to a wrong content is acceptable. |
Not quite -- I'm thinking that if there are no CRLs in the CRL file then we disable CRL checking. Here, I'm willing to define "valid" as simply parseable as a CRL (not looking closely at the contents). Particularly, we should have a routine like this one; instead of looping through all CRLs in a file, return successful as soon as a single one is present. Actually, that suggests a simpler approach. Since we are writing the CRLs to this file in the first place, why not keep track of the number written and, if there were zero, simply don't invoke the corresponding curl option? |
Yes, for me this is fine :) I can implement that 👍 |
…the concatenated CRL file
|
I updated the code yesterday :) Please tell me if this is OK for you so that this fix can be merged :) |
|
It's on my list, you have not been forgotten!
…On Tue, 9 Nov 2021, ccaffy wrote:
I updated the code yesterday :) Please tell me if this is OK for you so that this fix can be merged :)
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#1547 (comment)
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
.gitignore
Outdated
| @@ -58,3 +58,5 @@ xrootd.spec | |||
| dist | |||
| *.egg-info | |||
| bindings/python/VERSION | |||
| cmake-* | |||
| .idea/ | |||
There was a problem hiding this comment.
Why are these being added? Is it a problem in your own repo?
There was a problem hiding this comment.
Hi Andy,
No problem :)
Because I use CLion as IDE with local code deployed on a VM. The cmake-* directories is the equivalent of the build directory.
The .idea directory is created by CLion.
I just do not want these directories to be pushed to the project :)
Now that you said this, it looks like I can put these excludes in my local .git/info/exclude file. I will therefore remove these two lines from the .gitignore file
src/XrdTls/XrdTlsTempCA.cc
Outdated
| @@ -198,11 +209,17 @@ CRLSet::processFile(file_smart_ptr &fp, const std::string &fname) | |||
| return false; | |||
| } | |||
| } | |||
| if(!m_atLeastOneValidCRLFound) | |||
| m_atLeastOneValidCRLFound = atLeastOneValidCRLFound; | |||
There was a problem hiding this comment.
Doesn't this mean that once a valid CRL is found a subsequent scan that doesn't find one will not be registered as such? Won't that be a problem?
There was a problem hiding this comment.
I only modify the variable m_atLeastOneValidCRLFound if this variable is false. So, once a valid CRL is found, the m_atLeastOneValidCRLFound will be set to true and therefore will never be assigned anymore during the XrdTlsTempCA::Maintenance() loop.
That way, we only enable CRL checking if there is at least one valid CRL found during the Maintenance run :)
There was a problem hiding this comment.
What about this little issue that doesn't seem quite right.
There was a problem hiding this comment.
Yes, but you should consider that the next time the maintenance loop runs there may be no valid CRLs. I know that's unlikely but unlikely things happen. I think you should always update the current state of the maintenance loop otherwise that look does half the j0ob.
There was a problem hiding this comment.
If during the next time the maintenance loop runs there is no valid CRL file, do we agree that the CRL checking must be disabled?
There was a problem hiding this comment.
I think that if the current CRL file is replaced with a bad CRL file then, yes. It should be disabled. This is dynamic because the maintenance check tries to create a CRL file and if it fails then a) if the previous CRL file is still enforce then we need do nothing, or b) it gets replaced with a null file then we need top disable CRL checking. So, in the end it depends on the state the maintenance run leaves the CRL file (something I have not researched).
|
Well, not really because it is set false at the start (well initial
state). Let me explain the state:
a) we find a CRL, the state is set to true.
b) second scan and we don't find a CRL.
c) What do we do? Two cases:
1) The previous file is kept so it's OK to say use the CRL.
2) The previpus file is replaced with a null file -- not OK.
I think you see the conundrum. It really depends on what happens to the
compisite CRL file; i.e. is it kept or replaced. So, given that I don't
know (as a reviewer) it seems safest to just reflect the current state.
Now, you can elucidete what the case is. However it should be made
painfully clear in the comments ahead of the test; otherwise we will be
revisting this for years to come.
Andy
…On Wed, 1 Dec 2021, ccaffy wrote:
@ccaffy commented on this pull request.
> @@ -198,11 +209,17 @@ CRLSet::processFile(file_smart_ptr &fp, const std::string &fname)
return false;
}
}
+ if(!m_atLeastOneValidCRLFound)
+ m_atLeastOneValidCRLFound = atLeastOneValidCRLFound;
Ok, I see what you mean. I just need to reset this boolean to false at the beginning of the Maintenance run 👍
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#1547 (comment)
|
|
I thought we wanted the composite CRL file to reflect what is in the Here are the tests I did: First, best case scenario, there are two valid pem files in the Composite CRL file: Now, I empty the CRL2 file content: ... and after the next run of the Maintenance: The composite CRL file is re-generated. Containing only the first CRL file as I emptied the second CRL file. Now I will modify the CRL1 file content to break the CRL correctness of this file: Then the composite CRL file is re-generated and contains nothing: A TPC transfer will then have the CRL check disabled: Is this the behaviour we expect? Because for me, the composite CRL file should be an image of what is in the To sum things up, the composite CRL file is completely re-generated at each Maintenance run :) Sorry for the time spent on this topic, but I really need to understand and I want to be sure that you have the full picture of why I did this implementation like this ;) |
…rs/files" This reverts commit 679a87f.
|
I don't think that would work all that well because there may be a
transfer during the maintenance run and then CRLs would not be checked
eventhough there still is the previous file. Franklly, I would just get
rid of the if statement gaurd.
Andy
…On Wed, 1 Dec 2021, ccaffy wrote:
@ccaffy commented on this pull request.
> @@ -198,11 +209,17 @@ CRLSet::processFile(file_smart_ptr &fp, const std::string &fname)
return false;
}
}
+ if(!m_atLeastOneValidCRLFound)
+ m_atLeastOneValidCRLFound = atLeastOneValidCRLFound;
Ok, I see what you mean. I just need to reset this boolean to false at the beginning of the Maintenance run 👍
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#1547 (comment)
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
|
Alright then, I get rid of the if statement. Thanks for your comments :) |
…of the logic so that if at least one valid CRL file is found, the CRL checking is activated
Fixes #1543