1398701 – [sssd-secrets] https proxy talks plain http

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1398701 - [sssd-secrets] https proxy talks plain http

Summary: [sssd-secrets] https proxy talks plain http

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Amith
Docs Contact:
URL:
Whiteboard:
Depends On:	1403214
Blocks:	1399979
TreeView+	depends on / blocked

Reported:	2016-11-25 15:57 UTC by Jakub Hrozek
Modified:	2020-05-02 18:30 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-1.15.2-8.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:02:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
tcpdump output (ascii) (355.56 KB, text/plain) 2017-05-20 08:16 UTC, Niranjan Mallapadi Raghavender	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4225	0	None	closed	[sssd-secrets] https proxy talks plain http	2020-06-01 07:37:57 UTC
Red Hat Product Errata	RHEA-2017:2294	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2017-08-01 12:39:55 UTC

Description Jakub Hrozek 2016-11-25 15:57:21 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/3192

sssd-secrets claims to support http and https proxies. However https does not actually talk TLS/SSL. According to Wireshark it sends plain HTTP.

{{{
[sssd]
services = nss
domains = local
config_file_version = 2

[domain/local]
id_provider=local

[secrets]
debug_level = 1310
timeout = 3000
 
[secrets/users/0]
provider=proxy
proxy_url = https://localhost:10443/secrets/
}}}

Comment 1 Jakub Hrozek 2017-03-30 18:57:42 UTC

master:
    13d720de13e490850c1139eea865bcd5195a2630
    db826f57b4c2ee814823057cc536386889f7aa1d
    af026ea6a6e812b7d6c5c889dda64ba7b7c433ee
    720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417
    06744bf5a47d5971a338281c8243b11cf72dac90
    df99d709c8cbef3c378c111944d83b7345e4c1ea
    793f2573b2beaf8b48eab850429482acf68ec2b1
    6698d40512e55e7c2d03e14c227c51b1edc77ffa
    ae6b11229d9961e26922918183c7c1de7780b8d6
    d1ed11fc50922aab2332758a9300f3fbf814f112
    c2ea75da72b426d98ba489039e220d417bfb4c2a
    886e0f75e6f4c7877a23a3625f8a20c09109b09d
    36e49a842e257ac9bde71728ee3bef4299b6e6e2
    b800a6d09244359959404aca81c6796a58cafbcb
    300b9e9217ee1ed8d845ed2370c5ccf5c87afb36

Comment 3 Niranjan Mallapadi Raghavender 2017-05-20 08:15:07 UTC

Versions
Red Hat Enterprise Linux Server release 7.4 Beta (Maipo)

custodia-0.3.1-2.el7.noarch
python-custodia-0.3.1-2.el7.noarch
sssd-common-pac-1.15.2-29.el7.x86_64
sssd-winbind-idmap-1.15.2-25.el7.x86_64
sssd-client-1.15.2-29.el7.x86_64
sssd-krb5-common-1.15.2-29.el7.x86_64
sssd-krb5-1.15.2-29.el7.x86_64
sssd-dbus-1.15.2-29.el7.x86_64
sssd-kcm-1.15.2-29.el7.x86_64
python-sssdconfig-1.15.2-29.el7.noarch
sssd-common-1.15.2-29.el7.x86_64
sssd-ad-1.15.2-29.el7.x86_64
sssd-proxy-1.15.2-29.el7.x86_64
sssd-1.15.2-29.el7.x86_64
sssd-ipa-1.15.2-29.el7.x86_64
sssd-tools-1.15.2-29.el7.x86_64
sssd-libwbclient-1.15.2-25.el7.x86_64
sssd-ldap-1.15.2-29.el7.x86_64



Custodia Config
===============

[DEFAULT]
libdir = /var/lib/custodia
logdir = /var/log/custodia
rundir = /var/run/custodia

[global]
debug = true
server_url = https://idm1.example.test:443
auditlog = ${logdir}/audit.log
tls_certfile = /opt/mynss/server.pem
tls_keyfile = /opt/mynss/server.key
tls_cafile = /opt/mynss/cacert.pem
tls_verify_client = False

# Accepts any request that specifies an arbitrary REMOTE_USER header
[auth:header]
handler = custodia.httpd.authenticators.SimpleHeaderAuth
header = MYSECRETNAME
value = mysecretkey

# Allow requests for all paths under '/' and '/secrets/'
[authz:paths]
handler = SimplePathAuthz
paths = / /secrets/

# Store secrets in a sqlite database called quick.db in the table 'secrets'
[store:quick]
handler = SqliteStore
dburi = ${libdir}/quick.db
table = secrets

# Serve starting from '/' and using the 'quick' store and the 'Root' handler
[/]
handler = Root
store = quick

sssd config
==========

[sssd]
domains = EXAMPLE.TEST
config_file_version = 2
services = nss, pam, ifp

[domain/EXAMPLE.TEST]
enumerate = false
id_provider = ldap
ldap_uri = ldap://idm1.example.test
ldap_search_base = dc=example,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
auth_provider = krb5
krb5_server = idm1.example.test
krb5_kpasswd = idm1.example.test
krb5_realm = EXAMPLE.TEST
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True

[nss]
debug_level = 9

[pam]
debug_level = 9
offline_credentials_expiration = 0

[nss]
debug_level = 9

[pam]
debug_level = 9
offline_credentials_expiration = 0

[secrets]
debug_level = 9

[kcm]
debug_level = 9

[secrets/users/14583100]
provider = proxy
proxy_url = https://idm1.example.test/secrets/
cacert = /opt/mynss/cacert.pem
cert = /opt/mynss/server.pem
key = /opt/mynss/server.key
verify_peer = False
auth_type = header
auth_header_name = MYSECRETNAME
auth_header_value = mysecretkey



1. Configure RHEL7.4 host to auth to kerberos with lookup from ldap
2. Configure a sub-scection in sssd.conf for user foo0 with id 14583100 as
shown above
3. Login as user foo0
4. From another terminal run tcpdump to capture packets on port 443
$ tcpdump -s0 -w /tmp/custodia.pcap -i lo port 443

5. Create a Container foobar2 using curl 
curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket
-XPOST http://localhost/secrets/foobar2/

6. Save a password
curl -H "Content-Type: application/octet-stream" --unix-socket
/var/run/secrets.socket -XPUT http://localhost/secrets/foobar2/mailPassword -d
'Secret123'


7. Get the details of the container foobar2
curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket
-XGET http://localhost/secrets/foobar2/
["mailPassword"]

8. Get the details of the key mailPassword
curl -H "Content-Type: application/octet-stream" --unix-socket
/var/run/secrets.socket -XGET http://localhost/secrets/foobar2/mailPassword
{"type":"simple","value":"U2VjcmV0MTIz"}[foo0@idm1 ~]$ 

9. sssd_secrets logs show below output:


(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_request_send] (0x0400):
Sending TCURL request for
https://idm1.example.test/secrets//foobar2/mailPassword, at socket <none>
(Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000):
timeout_ms: 1
(Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_socket] (0x2000): Activity
on curl socket 13 socket data (nil)
(Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000):
timeout_ms: 4999
(Sat May 20 13:38:54 2017) [sssd[secrets]] [check_curl_timeouts] (0x4000):
Still tracking 1 outstanding requests
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):
HTTP/1.0 200 OK

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): Server:
Custodia/0.1

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): Date:
Sat, 20 May 2017 08:08:54 GMT

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):
Content-Length: 40

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):
Content-Type: application/json; charset=utf-8

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):

(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): --->
begin libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000):
{"type":"simple","value":"U2VjcmV0MTIz"}
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_write_data] (0x2000): <---
end libcurl data
(Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_socket] (0x2000): Activity
on curl socket 13 socket data 0x7f7aa5fcd020
(Sat May 20 13:38:54 2017) [sssd[secrets]] [handle_curlmsg_done] (0x0400):
Handled https://idm1.example.test/secrets//foobar2/mailPassword
(Sat May 20 13:38:54 2017) [sssd[secrets]] [tcurl_request_done] (0x0400): TCURL
request finished [0]: Success
(Sat May 20 13:38:54 2017) [sssd[secrets]] [schedule_fd_processing] (0x2000):
timeout_ms: -1
(Sat May 20 13:38:54 2017) [sssd[secrets]] [check_curl_timeouts] (0x4000):
Still tracking 0 outstanding requests
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_http_reply_iobuf] (0x1000):
HTTP reply 200
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_provider_recv] (0x2000):
Request finished
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_http_request_pipeline_done]
(0x2000): sec request done
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_send_data] (0x2000): sent 185
bytes, 0 bytes remaining
(Sat May 20 13:38:54 2017) [sssd[secrets]] [sec_recv] (0x4000): Client closed
connection.
(Sat May 20 13:38:54 2017) [sssd[secrets]] [client_close_fn] (0x2000):
Terminated client [0x7f7aa5ef8b80][12]


Tcpdump output:
==============


Transmission Control Protocol, Src Port: 443 (443), Dst Port: 42468 (42468),
Seq: 1, Ack: 192, Len: 2163
    Source port: 443 (443)
    Destination port: 42468 (42468)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 2164    (relative sequence number)]
    Acknowledgment number: 192    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 350
    [Calculated window size: 44800]
    [Window size scaling factor: 128]
    Checksum: 0x7e63 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 247537721, TSecr 247537720
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 247537721
            Timestamp echo reply: 247537720
    [SEQ/ACK analysis]
        [Bytes in flight: 2163]
        [TCP Analysis Flags]
            [This frame ACKs a segment we have not seen]
                [Expert Info (Warn/Sequence): ACKed segment that wasn't
            captured (common at capture start)]
                    [Message: ACKed segment that wasn't captured (common at
            capture start)]
                    [Severity level: Warn]
                    [Group: Sequence]
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 89
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 85
            Version: TLS 1.2 (0x0303)
            Random
                gmt_unix_time: Dec 17, 2073 19:34:39.000000000 IST
                random_bytes:
            3708e4f9ac4c64cc08cc1711ba1d52fe4669ee43bf4adc26...
            Session ID Length: 32
            Session ID: d719eba89b47ec91a336ebe6d1dc211d6c4338f25b1a5173...
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Compression Method: null (0)
            Extensions Length: 13
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 1717
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 1713
            Certificates Length: 1710
            Certificates (1710 bytes)
                Certificate Length: 871
                Certificate
                (id-at-commonName=idm1.example.test,id-at-organizationName=IDMQE,id-at-localityName=Pune,id-at-stateOrProvinceName=Maharashtra,id-at-countryName=IN)
                    signedCertificate
                        version: v3 (2)
                        serialNumber: 2851820452
                        signature (sha256WithRSAEncryption)
                            Algorithm Id: 1.2.840.113549.1.1.11
                            (sha256WithRSAEncryption)
                        issuer: rdnSequence (0)
...
<Certificate exchange>

    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 333
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 329
            EC Diffie-Hellman Server Params
                curve_type: named_curve (0x03)
                named_curve: secp256r1 (0x0017)
                Pubkey Length: 65
                pubkey: 04ad89c01d992c3b59ccc5a0986abb89de17cbe2d2e01cd6...
                Signature Hash Algorithm: 0x0601
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Length: 256
                signature: 4863bc69e6943b757633217e8cdff4b84445672abe2c414a...
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

Comment 4 Niranjan Mallapadi Raghavender 2017-05-20 08:16:07 UTC

Created attachment 1280585 [details]
tcpdump output (ascii)

Comment 5 errata-xmlrpc 2017-08-01 09:02:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294

Note You need to log in before you can comment on or make changes to this bug.