Bug 1398701

Summary: [sssd-secrets] https proxy talks plain http
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Amith <apeetham>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.3CC: cheimes, grajaiya, jhrozek, lslebodn, mkosek, mniranja, mzidek, nsoman, pbrezina, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.15.2-8.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:02:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1403214    
Bug Blocks: 1399979    
Attachments:
Description Flags
tcpdump output (ascii) none

Description Jakub Hrozek 2016-11-25 15:57:21 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/3192

sssd-secrets claims to support http and https proxies. However https does not actually talk TLS/SSL. According to Wireshark it sends plain HTTP.

{{{
[sssd]
services = nss
domains = local
config_file_version = 2

[domain/local]
id_provider=local

[secrets]
debug_level = 1310
timeout = 3000
 
[secrets/users/0]
provider=proxy
proxy_url = https://localhost:10443/secrets/
}}}
Comment 1 Jakub Hrozek 2017-03-30 18:57:42 UTC 
master:
    13d720de13e490850c1139eea865bcd5195a2630
    db826f57b4c2ee814823057cc536386889f7aa1d
    af026ea6a6e812b7d6c5c889dda64ba7b7c433ee
    720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417
    06744bf5a47d5971a338281c8243b11cf72dac90
    df99d709c8cbef3c378c111944d83b7345e4c1ea
    793f2573b2beaf8b48eab850429482acf68ec2b1
    6698d40512e55e7c2d03e14c227c51b1edc77ffa
    ae6b11229d9961e26922918183c7c1de7780b8d6
    d1ed11fc50922aab2332758a9300f3fbf814f112
    c2ea75da72b426d98ba489039e220d417bfb4c2a
    886e0f75e6f4c7877a23a3625f8a20c09109b09d
    36e49a842e257ac9bde71728ee3bef4299b6e6e2
    b800a6d09244359959404aca81c6796a58cafbcb
    300b9e9217ee1ed8d845ed2370c5ccf5c87afb36
Comment 3 Niranjan Mallapadi Raghavender 2017-05-20 08:15:07 UTC 
Versions
Red Hat Enterprise Linux Server release 7.4 Beta (Maipo)

custodia-0.3.1-2.el7.noarch
python-custodia-0.3.1-2.el7.noarch
sssd-common-pac-1.15.2-29.el7.x86_64
sssd-winbind-idmap-1.15.2-25.el7.x86_64
sssd-client-1.15.2-29.el7.x86_64
sssd-krb5-common-1.15.2-29.el7.x86_64
sssd-krb5-1.15.2-29.el7.x86_64
sssd-dbus-1.15.2-29.el7.x86_64
sssd-kcm-1.15.2-29.el7.x86_64
python-sssdconfig-1.15.2-29.el7.noarch
sssd-common-1.15.2-29.el7.x86_64
sssd-ad-1.15.2-29.el7.x86_64
sssd-proxy-1.15.2-29.el7.x86_64
sssd-1.15.2-29.el7.x86_64
sssd-ipa-1.15.2-29.el7.x86_64
sssd-tools-1.15.2-29.el7.x86_64
sssd-libwbclient-1.15.2-25.el7.x86_64
sssd-ldap-1.15.2-29.el7.x86_64



Custodia Config
===============

[DEFAULT]
libdir = /var/lib/custodia
logdir = /var/log/custodia
rundir = /var/run/custodia

[global]
debug = true
server_url = https://idm1.example.test:443
auditlog = ${logdir}/audit.log
tls_certfile = /opt/mynss/server.pem
tls_keyfile = /opt/mynss/server.key
tls_cafile = /opt/mynss/cacert.pem
tls_verify_client = False

# Accepts any request that specifies an arbitrary REMOTE_USER header
[auth:header]
handler = custodia.httpd.authenticators.SimpleHeaderAuth
header = MYSECRETNAME
value = mysecretkey

# Allow requests for all paths under '/' and '/secrets/'
[authz:paths]
handler = SimplePathAuthz
paths = / /secrets/

# Store secrets in a sqlite database called quick.db in the table 'secrets'
[store:quick]
handler = SqliteStore
dburi = ${libdir}/quick.db
table = secrets

# Serve starting from '/' and using the 'quick' store and the 'Root' handler
[/]
handler = Root
store = quick

sssd config
==========

[sssd]
domains = EXAMPLE.TEST
config_file_version = 2
services = nss, pam, ifp

[domain/EXAMPLE.TEST]
enumerate = false
id_provider = ldap
ldap_uri = ldap://idm1.example.test
ldap_search_base = dc=example,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
auth_provider = krb5
krb5_server = idm1.example.test
krb5_kpasswd = idm1.example.test
krb5_realm = EXAMPLE.TEST
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True

[nss]
debug_level = 9

[pam]
debug_level = 9
offline_credentials_expiration = 0

[nss]
debug_level = 9

[pam]
debug_level = 9
offline_credentials_expiration = 0

[secrets]
debug_level = 9

[kcm]
debug_level = 9

[secrets/users/14583100]
provider = proxy
proxy_url = https://idm1.example.test/secrets/
cacert = /opt/mynss/cacert.pem
cert = /opt/mynss/server.pem
key = /opt/mynss/server.key
verify_peer = False
auth_type = header
auth_header_name = MYSECRETNAME
auth_header_value = mysecretkey



1. Configure RHEL7.4 host to auth to kerberos with lookup from ldap
2. Configure a sub-scection in sssd.conf for user foo0 with id 14583100 as
shown above
3. Login as user foo0
4. From another terminal run tcpdump to capture packets on port 443
$ tcpdump -s0 -w /tmp/custodia.pcap -i lo port 443

5. Create a Container foobar2 using curl 
curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket
-XPOST http://localhost/secrets/foobar2/

6. Save a password
curl -H "Content-Type: application/octet-stream" --unix-socket
/var/run/secrets.socket -XPUT http://localhost/secrets/foobar2/mailPassword -d
'Secret123'


7. Get the details of the container foobar2
curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket
-XGET http://localhost/secrets/foobar2/
["mailPassword"]

8. Get the details of the key mailPassword
curl -H "Content-Type: application/octet-stream" --unix-socket
/var/run/secrets.socket -XGET http://localhost/secrets/foobar2/mailPassword
{"type":"simple","value":"U2VjcmV0MTIz"}[foo0@idm1 ~]$ 

9. sssd_secrets logs show below output:


(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_request_send] (0x0400):
Sending TCURL request for
https://idm1.example.test/secrets//foobar2/mailPassword, at socket <none>
(Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000):
timeout_ms: 1
(Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_socket] (0x2000): Activity
on curl socket 13 socket data (nil)
(Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000):
timeout_ms: 4999
(Sat May 20 13:38:54 2017) [sssd[secrets]] [check_curl_timeouts] (0x4000):
Still tracking 1 outstanding requests
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):
HTTP/1.0 200 OK

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): Server:
Custodia/0.1

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): Date:
Sat, 20 May 2017 08:08:54 GMT

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):
Content-Length: 40

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):
Content-Type: application/json; charset=utf-8

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):
{"type":"simple","value":"U2VjcmV0MTIz"}
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_socket] (0x2000): Activity
on curl socket 13 socket data 0x7f7aa5fcd020
(Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_curlmsg_done] (0x0400):
Handled https://idm1.example.test/secrets//foobar2/mailPassword
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_request_done] (0x0400): TCURL
request finished [0]: Success
(Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000):
timeout_ms: -1
(Sat May 20 13:38:54 2017) [sssd[secrets]] [check_curl_timeouts] (0x4000):
Still tracking 0 outstanding requests
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_http_reply_iobuf] (0x1000):
HTTP reply 200
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_provider_recv] (0x2000):
Request finished
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_http_request_pipeline_done]
(0x2000): sec request done
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_send_data] (0x2000): sent 185
bytes, 0 bytes remaining
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_recv] (0x4000): Client closed
connection.
(Sat May 20 13:38:54 2017) [sssd[secrets]] [client_close_fn] (0x2000):
Terminated client [0x7f7aa5ef8b80][12]


Tcpdump output:
==============


Transmission Control Protocol, Src Port: 443 (443), Dst Port: 42468 (42468),
Seq: 1, Ack: 192, Len: 2163
    Source port: 443 (443)
    Destination port: 42468 (42468)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 2164    (relative sequence number)]
    Acknowledgment number: 192    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 350
    [Calculated window size: 44800]
    [Window size scaling factor: 128]
    Checksum: 0x7e63 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 247537721, TSecr 247537720
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 247537721
            Timestamp echo reply: 247537720
    [SEQ/ACK analysis]
        [Bytes in flight: 2163]
        [TCP Analysis Flags]
            [This frame ACKs a segment we have not seen]
                [Expert Info (Warn/Sequence): ACKed segment that wasn't
            captured (common at capture start)]
                    [Message: ACKed segment that wasn't captured (common at
            capture start)]
                    [Severity level: Warn]
                    [Group: Sequence]
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 89
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 85
            Version: TLS 1.2 (0x0303)
            Random
                gmt_unix_time: Dec 17, 2073 19:34:39.000000000 IST
                random_bytes:
            3708e4f9ac4c64cc08cc1711ba1d52fe4669ee43bf4adc26...
            Session ID Length: 32
            Session ID: d719eba89b47ec91a336ebe6d1dc211d6c4338f25b1a5173...
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Compression Method: null (0)
            Extensions Length: 13
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 1717
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 1713
            Certificates Length: 1710
            Certificates (1710 bytes)
                Certificate Length: 871
                Certificate
                (id-at-commonName=idm1.example.test,id-at-organizationName=IDMQE,id-at-localityName=Pune,id-at-stateOrProvinceName=Maharashtra,id-at-countryName=IN)
                    signedCertificate
                        version: v3 (2)
                        serialNumber: 2851820452
                        signature (sha256WithRSAEncryption)
                            Algorithm Id: 1.2.840.113549.1.1.11
                            (sha256WithRSAEncryption)
                        issuer: rdnSequence (0)
...
<Certificate exchange>

    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 333
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 329
            EC Diffie-Hellman Server Params
                curve_type: named_curve (0x03)
                named_curve: secp256r1 (0x0017)
                Pubkey Length: 65
                pubkey: 04ad89c01d992c3b59ccc5a0986abb89de17cbe2d2e01cd6...
                Signature Hash Algorithm: 0x0601
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Length: 256
                signature: 4863bc69e6943b757633217e8cdff4b84445672abe2c414a...
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0
Comment 4 Niranjan Mallapadi Raghavender 2017-05-20 08:16:07 UTC 
Created attachment 1280585 [details]
tcpdump output (ascii)
Comment 5 errata-xmlrpc 2017-08-01 09:02:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294