Feature #7531
openpkg behavior when encountering invalid SSL certificate
0%
Description
I just tried installing the acme package via the web interface. Output here:
Installing pfSense-pkg-acme...
Updating pfSense-core repository catalogue...
SSL certificate subject doesn't match host files01.netgate.com
SSL certificate subject doesn't match host files01.netgate.com
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
SSL certificate subject doesn't match host files01.netgate.com
SSL certificate subject doesn't match host files01.netgate.com
pfSense repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):New packages to be INSTALLED:
pfSense-pkg-acme: 0.1.16 [pfSense]
php56-ftp: 5.6.30 [pfSense]Number of packages to be installed: 2
84 KiB to be downloaded.
SSL certificate subject doesn't match host files01.netgate.com
[1/2] Fetching pfSense-pkg-acme-0.1.16.txz: ........ done
SSL certificate subject doesn't match host files01.netgate.com
[2/2] Fetching php56-ftp-5.6.30.txz: ... done
Checking integrity... done (0 conflicting)
[1/2] Installing php56-ftp-5.6.30...
[1/2] Extracting php56-ftp-5.6.30: ........ done
[2/2] Installing pfSense-pkg-acme-0.1.16...
Extracting pfSense-pkg-acme-0.1.16: .......... done
Saving updated package information...
done.
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...done.
Menu items... done.
Writing configuration... done.
Message from php56-ftp-5.6.30:
The following line has been added to your /usr/local/etc/php/ext-20-ftp.ini
configuration file to automatically load the installed extension:extension=ftp.so
Cleaning up cache... done.
Success
These lines concerned me.
SSL certificate subject doesn't match host files01.netgate.com
SSL certificate subject doesn't match host files01.netgate.com
What was going on? I looked to openssl for answers (some portions snipped for
length's sake)
$ openssl s_client
connect files01.netgate.com:443
CONNECTED
--
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
This is the same certificate served on pfsense.org, so most likely just a
misconfigured certificate and not something more nefarious. And even if it was
something more nefarious, pkg checks that the catalog file is signed by a
trusted key, see https://lists.freebsd.org/pipermail/freebsd-pkg/2014-January/000185.html
So there was no need for concern on my part, but from a user's perspective it is
concerning to see pkg installation succeed alongside messages that suggest that
it maybe shouldn't.
It may be useful to consider either aborting package installation when invalid
SSL certificates are encountered, or (better IMO) would be to add an
additional message that assures the user that the catalog signature checks out
in spite of those SSL errors.
No data to display