Friday, November 20, 2009

» osc and self-signed certificates the secure way

Obviously, a much more secure option to use the osc Build Service command-line client with your own server instances that have a self-signed certificate is to actually add that server certificate to the list of blessed ones. To do so, do as follows, all of that as root in a shell:
umask 0033
cd /etc/ssl/certs
echo | openssl s_client -showcerts \
-connect YOUR.SERVER:SSL_PORT \
2>&1 |sed -n '/^-----BEGIN/,/^-----END/p' \
> SOME_FILENAME.pem
c_rehash .
Once you've done the above, osc will no longer complain about an invalid (server) peer certificate, as the certificate of your Build Service instance server is now accepted as a valid one. Note that in order to be really secure, you need to ask an administrator of the server what the fingerprint (also called a hash) of the server certificate actually is, in order to compare and make sure you're not blessing an already compromised server or are already subject to a man-in-the-middle attack. To do so, an user who has root access to the server should run the following command, obviously as root, and then give you the output of that command, ideally through a secure communication channel, or through several channels (e.g. SMS mobile text message and/or a signed email and/or IRC from a registered nickname):
cat /etc/ssl/private/lighttpd.pem\
| sed -n '/^-----BEGIN CERT/,/^-----END CERT/p'\
| sha1sum | cut -f1 -d" "
You can then run the following command and compare the output with what that trusted user has given you:
fp=$(sha1sum /etc/ssl/certs/SOME_FILENAME.pem\
| cut -f1 -d" ")
server="...paste what the trusted user has given you here..."
test "$fp" = "$server" && echo OK || echo COMPROMISED
If you have already patched your osc client as I described in my previous post, you can undo that patch with the following code (again, as root in a shell):
umask 0077
cd $(dirname $(rpm -ql osc|grep /conf.py\$))
mv conf.py.orig conf.py
chmod 0644 conf.py

Labels: , ,

1 Comments:

Blogger Marcus Meissner said...

Ludwig has created an osc which saves the self-signed certificates.

There is no need for such evil workarounds.

Not sure if it is in any release yet, but it is in git/svn ;)

Ciao, Marcus

08:54  

Post a Comment

<< Home