Projects tigase _server server-core Issues #1568
Incorrect SSL certificate being used (#1568)
Andrzej Wójcik (Tigase) opened 6 days ago

Tigase XMPP Server loads certificates and uses them for "assigned domain" (domain for which certificate was uploaded) and domain for which domain is "good for" (Subject Alternative Names). That causes an issue is we have 2 certificates for the same domain, ie. we have automatically generated certificate for domain test.example.com (self-signed), while after a while we upload certificate for example.com that has test.example.com in Subject Alternative Names.

After that Tigase XMPP Server will use certificate that was added later (that would be example.com certificate). That would be somehow correct.

However, after the restart of the server, Tigase XMPP Server may load "self-signed" certificate for domain test.example.com after loading example.com certificate (that is valid for test.example.com as well). That results in a self-signed certificate being returned by the server even if valid certificate is available.

I think this issue was partially started with changes from Improve loading certificates and updating them later on #1080 that started overriding certificates if a new certificate had a value for Subject Alternative Names.

As we already made a switch and now require (by default) a valid SSL certificate, it would be reasonable to resolve this issue.

The easiest solution, would be to "delete" old/previous certificates that matches domain or alt domain when a new certificate is provided. However, with support for wildcards and ie. multiple domains/subdomains being supported by more than one certificate that may cause issues with random assignment of certificate for domain. That could be resolved by forcing users to pass domain for which certificate should be used (manually) and only use this certificate for a single domain but it wouldn't allow users to upload a single certificate for multiple domains at once (or even subdomains).

We could also keep track of the order in which certificates were upload and always use newest certificates (apply them in order of upload).

While we are at it, I would like to remove generation of self-signed certificates with exception of "default" certificate. That means that unless certificate would be uploaded for a domain only "default" certificate would be used. That would allow us to get rid of self-signed certificates generated automatically and switch to just a single certificate that would be self-signed and manager by the server. Others if needed, would need to be managed by the user/

  • Andrzej Wójcik (Tigase) added "Related" Customers/atom#347 6 days ago
  • Andrzej Wójcik (Tigase) commented 6 days ago

    @wojtek What do you think would be the best approach. Right now we have certificates stored by the main alias of the certificate but also used by Subject Alternative Names domains loaded and overwritten at random.

  • Andrzej Wójcik (Tigase) commented 6 days ago

    Initially, I was thinking just about newer overriding certificate for domain with a self-signed certificate. That would be the simplest partial solution but may not always be an expected behavior.

  • Wojciech Kapcia (Tigase) added "Related" Customers/atom#301 3 days ago
  • Wojciech Kapcia (Tigase) added "Related" #1080 3 days ago
  • Wojciech Kapcia (Tigase) commented 3 days ago

    Hmm... this is basically due to trying to have nice-and-automatic things. And SAN + widlcards are just throwing spanner into the weels. AFAIR this is mostly due to concurrency issue where connector port could be open before the certificates are all loaded and self-signed certificate would be generated)

    In general self-signed certificas most of the time only cause issues and it would be nice to actually get rid of them altogether…

    We do need self-signed given that we now require the certs. Generating one only for default/"main" installatino domain (and ignoring for the rest) sounds very good.

    I would also avoid storing any self-signed certificate in the repository (which in this case should help even without previous step) and avoid overriding any certificates in CertificateContainer with self-signed ones altogether (slightly smarter logic there). AFAIR I already made it so that the self-signed should not be generated if the proper certificate is only expired (both are invalid in the grand scheme of things but still, expired one slightly less than self-signed IMHO).

    We could also add an option to enable/disable generating self-signed certificates automatically (on by default, but handy in certain deploymenst that are already strapped on; alternatively off by default and generate the self-signed cert only when using installer?)

    I'm not sure that ad-hoc that requires specifying vhosts explicitly would be that great (certificate duplication, having to maintain the correct list in certbot, etc)

    All in all:

    1. don't store any self-signed certificates in the repository
    2. generate self-signed cert only for the main/default VHost and no other domain
  • Andrzej Wójcik (Tigase) changed state to 'In Progress' 2 days ago
    Previous Value Current Value
    Open
    In Progress
  • Andrzej Wójcik (Tigase) commented 2 days ago

    Please review my changes.

    I've took a slightly different approach. I've added a mechanism to decide which certificate is "more important". I've decided (and I think we agree on that) that self-signed certificate are lowest priority. Then certificates with matching name, then with domain in the SAN (with exception if matching name certificate is not valid any more and SAN covering this domain is valid).

    With that in place and minor change to "remove" from use wildcard certificates that are self-signed if those are not used for "primary" domain (those autogenerated by the server), I've achieved a working solution that looks to be stable and correctly selecting SSL certificates.

    I've also added an option removeSelfSignedUnusedCerts that can detect unused self-signed certificates (those that were replaced by other certs using SAN) that when enabled could remove those certificates from the repository.

    I also think we are still missing an option to remove certificate (adhoc action). Right now we can update the certificate but we cannot remove it (could be useful for domains that are no longer in use/no longer hosted).

  • Andrzej Wójcik (Tigase) changed state to 'In QA' 2 days ago
    Name Previous Value Current Value
    State
    In Progress
    In QA
    Assignee
    andrzej.wojcik
    wojtek
issue 1 of 1
Type
Bug
Priority
Normal
Assignee
Version
none
Sprints
n/a
Customer
n/a
Issue Votes (0)
Watchers (3)
Reference
tigase/_server/server-core#1568
Please wait...
Page is in error, reload to recover