Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-25272

zabbix-agent2 web.certificate.get certificate validation bug

XMLWordPrintable

    • Prev.Sprint, S24-W44/45, S24-W46/47
    • 2

      Steps to reproduce:

      1. Make a self-signed certificate with different Issuer CN and Subject CN
      2. Try to verify validity

      Result:

      "result":{"value":"invalid","message":"failed to verify certificate: x509: certificate signed by unknown authority"}

      Expected:I

      I expected result to be "valid-but-self-signed"

       

      The problem is that the if statement used to detect validity is expecting `subject == issuer`

      https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/src/go/plugins/web/certificate/certificate.go#171

      However this is often not the case. The certificate can still be self-signed without such requirement. Often the subject and issuer won't match on self-signed certificates.

       

      I believe this requirement should be removed from the checks. Not matching subject and issuer does not make a certificate invalid and has little to do with certificate being self signed or not.

       

      A self-signed certificate without, subject == issuer, is still a valid certificate.

      Also, is it the plugins task to verify such things? Isn't comparing two strings match or not type check what the template triggers should do? Because then one can setup a macro to say "it is ok if subject != issuer". Now we have no control over what the plugin thinks valid/invalid etc.

            adancis Arturs Dancis
            yurtesen Evren Yurtesen
            Team A
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: