New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Agent does not validate KONTENA_URI=wss:// SSL certs #2500
Comments
It looks like Anyways, even if faye-websocket did implement it, the EM SSL cert validation design looks seriously flawed... A PR from 2012 to fix the EM ssl cert verification (eventmachine/eventmachine#378) to allow configuring the CA certs to use for validation, and passing the required cert-verify error/level information to the application-level callback... is still open, nearly 5 years later 😞 I don't think it's feasible to implement any kind of robust SSL cert validation for the agent |
Yes, passing
I didn't trace this, but I suspect it's from the missing It looks like there is an open PR for SSL cert verification in faye-websocket, but I suspect that it's just deeply flawed: faye/faye-websocket-ruby#101 |
BTW these same issues also apply to the CLI websocket client used for the exec commands... because of how the |
The agent
Kontena::WebsocketClient
connects to the configuredKONTENA_URI=wss://...
usingFaye::WebSocket::Client.new
with the default options. The:tls
option defaults toverify_peer: false
.The agent will immediately establish a websocket connection, sending the
Kontena-Grid-Token
header with the plaintext grid token secret. In the case of misconfiguration or active MITM attack, this could leak the grid secret.The agent should support optional
/etc/kontena-agent.env
parameters for websocket client SSL cert verification, and the CLI plugins etc used for host node provisioning should be updated to configure the agent for strict SSL cert validation. For a master with a self-generated SSL cert, this would also need to deploy the cert to the agent, or possibly use some fingerprint-based mechanism.The text was updated successfully, but these errors were encountered: