[GitHub] [trafficcontrol] zrhoffman opened a new issue, #7046: POST /deliveryservices/sslkeys/add accepts unrelated certificates

Tue, 30 Aug 2022 09:17:31 -0700 


zrhoffman opened a new issue, #7046:
URL: https://github.com/apache/trafficcontrol/issues/7046

   <!--
   ************ STOP!! ************
   If this issue identifies a security vulnerability, DO NOT submit it! 
Instead, contact
   the Apache Traffic Control Security Team at 
secur...@trafficcontrol.apache.org and follow the
   guidelines at https://apache.org/security regarding vulnerability disclosure.
   
   - For *SUPPORT QUESTIONS*, use the #traffic-control channel on the ASF slack 
(https://s.apache.org/tc-slack-request)
   or the Traffic Control Users mailing list (send an email to 
users-subscr...@trafficcontrol.apache.org to subscribe).
   - Before submitting, please **SEARCH GITHUB** for a similar issue or PR
       * https://github.com/apache/trafficcontrol/issues
       * https://github.com/apache/trafficcontrol/pulls
   -->
   
   <!-- Do not submit security vulnerabilities or support requests here - see 
above -->
   ## This Bug Report affects these Traffic Control components:
   <!-- delete all those that don't apply -->
   - Traffic Ops
   
   ## Current behavior:
   <!-- Describe how the bug happens -->
   `POST /api/4.1/deliveryservices/sslkeys/add` accepts unrelated certificates 
included in the `certificate.crt` field
   
   ## Expected behavior:
   <!-- Describe what the behavior would be without the bug -->
   Including a certificate that is not part of the Leaf-Intermediate-Root chain 
should result in a response with a 400-level HTTP status code.
   
   ## Steps to reproduce:
   <!-- If the current behavior is a bug, please provide the *STEPS TO 
REPRODUCE* and
   include the applicable TC version.
   -->
   1. Create Delivery Service 1
   2. Generate a self-signed certificate for DS 1
   3. Create Delivery Service 2
   4. Generate a self-signed certificate for DS 2
   5. Append the DS 2 certificate to the bottom of the DS 1 certificate and POST
   
   `POST /api/4.1/deliveryservices/sslkeys/add` response:
   
   ```json
   {
     "alerts": [
       {
         "text": "WARNING: SSL keys were successfully added for 
'my-delivery-service-1', but the input certificate may be invalid (certificate 
is signed by an unknown authority)",
         "level": "warning"
       }
     ]
   }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@trafficcontrol.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to