Skip to content
This repository has been archived by the owner on Nov 29, 2024. It is now read-only.

User passed CA certificates should not be appended to the System CAs #80

Open
scholzj opened this issue Aug 28, 2021 · 3 comments
Open

Comments

@scholzj
Copy link
Member

scholzj commented Aug 28, 2021

If I read the code in

if !tlsConfig.RootCAs.AppendCertsFromPEM(caCert) {
correctly, it tries to append the user provided CAs to the system certificates. I think this is wrong - if user passes own CA certificates, it should be used exclusively and not mixed with some system certificates.

@ppatierno
Copy link
Member

What's the reason you think it's wrong? Do you see any drawback? At the beginning we thought this way then discussing with @k-wall we thought that there is no good reason for adding and not exclusive CA provided cert. Open to listen your reasons.

@scholzj
Copy link
Member Author

scholzj commented Aug 28, 2021

It is IMO wrong because you trust way more CAs then the user requested, so IMHO it is a security issue. If the user tells the canary to trust a specific CA, it should not trust his CA and many other CAs. You can use that for example to trick the canary to connect to a different server with completely different CA for example. If this was not under development but released I would say it is a CVE.

If nothing else, there should be an option to not do this. But at least personally, I also haven't seen any other application do this - so it would be also unexpected for the users at least in the Kafka land. So I think it should not do this at all.

Also - leaving the appending aside - even the use of the system certs by default contradicts the documentation in the README.md which says that the default is empty which is not true if it defaults to the system certs. I think this part is fine and useful and mirrors for example the Java behaviour, but should be covered correctly in the docs.

@ppatierno
Copy link
Member

@scholzj I think what you said makes sense. While discussing, I opened #81 for fixing the doc describing the current behaviour.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants