[Patch] TLS/DTLS: inconsistent allowed_uses behaviour when in debug mode / not in debug mode

Bug #1912390 reported by Graham Leggett
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
net-snmp (Fedora)
Unknown
Unknown
net-snmp (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Certificate allowed_uses are not indexed by net-snmp. As a result, the trustCert option works the first time snmpd is started, but fails thereafter.

In addition, there is no support for intermediate certificates (they are ignored) and as a result no possibility to use net-snmp with Let's Encrypt.

Steps to Reproduce:
1. Configure net-snmp for DTLS using localCert and trustCert.
2. Load net-snmp once with empty index.
3. Reload net-snmp.

Actual results:

trustCert is no longer recognised, as the "CA" flag is unindexed and missing.

Expected results:

trustCert works properly.

Additional info:

Patches to update net-snmp to fix this index issue, as well as to properly support CA certificates are available here:

https://github.com/net-snmp/net-snmp/issues/255
https://github.com/net-snmp/net-snmp/issues/248
https://github.com/net-snmp/net-snmp/issues/242
https://github.com/net-snmp/net-snmp/issues/241
https://github.com/net-snmp/net-snmp/issues/245

Related branches

tags: added: patch
affects: nagios-plugins (Ubuntu) → net-snmp (Ubuntu)
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the report. I've reassigned the bug to net-snmp, since this is not a nagios-plugins issue.

I'm also having a bit of trouble reproducing this one. I think I generated the certificates correctly by doing:

# net-snmp-cert genca -I -n hostname.example.com
# net-snmp-cert gencsr -I -t snmpd -n hostname.example.com --san DNS:snmpd.example.com
# net-snmp-cert signcsr -I --with-ca hostname.example.com --csr snmpd
# cd /etc/snmp/tls
# mv newcerts/*.crt certs/
# chmod a+r certs/* ca-certs/*

I also added the following lines to /etc/snmp/snmpd.conf:

[snmp] localCert /etc/snmp/tls/certs/snmpd.crt
[snmp] trustCert /etc/snmp/tls/ca-certs/hostname.example.com.crt

The only debug mode I could find was passing -D to snmpd, so I edited snmpd.service to do that. I can't anything about trustCert on the logs, though.

Could you please provide a more detailed instruction on how to reproduce the failure?

Revision history for this message
Graham Leggett (minfrin-y) wrote :

Net-snmp has an index of certs, typically /var/lib/net-snmp/cert-indexes (from memory).

Start with this directory empty - no files called 0, 1, 2, etc.

On first run of either client or server, with no index, all the certs are loaded correctly, and the index is populated. The loading of certs will cause CA certificates to be identified as CA certs, and correctly marked. Net-snmp will work exactly once.

On second and subsequent runs, with an index, none of the certs are loaded, just the index. Because the certificate types are not indexed, the query “give me matching CA certs” now returns zero CA certs, because the flag indicating the cert is a CA is now unpopulated. No CA certs loaded, connections fail with peer cert not trusted, suddenly after working once we now stop working.

Now a curve ball. You’re confused. You want to figure out what is going on. So you turn on debug. The debug causes the cert to be loaded so the cert can be dumped to the log. This has a side effect that in loading the cert, the CA flag is populated. Suddenly it works again. Stiff coffee all round.

So, to see the problem switch debug off, run net-snmp on a debugger instead. Run it once and see it work. Run it a second time and see it not work, peer cert is not trusted. This is because net-snmp looks up CA certs in index, finds zero, tells other side to go away.

The fix: modify the index to add a field for cert type.

Revision history for this message
Graham Leggett (minfrin-y) wrote :

Another detail.

localCert /etc/snmp/tls/certs/snmpd.crt

The localCert parameter doesn’t accept a path, but rather a file prefix (or a fingerprint).

It should look like this:

LocalCert snmpd

The above means “search for a file called ‘snmpd.*’ in my certificate store”.

This too confused me until I got it up onto the debugger.

Revision history for this message
Graham Leggett (minfrin-y) wrote :

Quick ping on this one - fixes for this issue released in https://github.com/net-snmp/net-snmp/releases/tag/v5.9.1.rc1.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for the heads-up Graham. Our team will be taking a look at it.

Revision history for this message
Graham Leggett (minfrin-y) wrote :
Bryce Harrington (bryce)
tags: added: server-todo
Revision history for this message
Bryce Harrington (bryce) wrote :

Per Graham's comment #4, if this is already included for 5.9.1, then we should pick it up automatically with the ubuntu-jammy merge (see LP: #1946877).

Someone may also want to evaluate if the fix should also be sru'd to focal.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Yeah, thanks for the reminder, Bryce. I will keep this in mind when I start working on the merge.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package net-snmp - 5.9.1+dfsg-1ubuntu1

---------------
net-snmp (5.9.1+dfsg-1ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1946877, #1912390). Remaining changes:
    - Add apport hook:
      + d/control: add dh-apport to Build-Depends
      + d/rules: install the apport hook via debhelper
      + d/source.apport: apport hook
    - d/p/lp1945960-*: backport patches for the OpenSSL3 transition
      (LP #1945960)
  * Dropped changes, incorporated by Debian:
    - d/libsnmp-dev.install: Don't install archive (.a) files.
      The archive files are just temporary files generated in order to
      create the final shared objects (.so), and we don't need to ship
      them in the package.
  * Dropped changes, incorporated upstream:
    - Fix segmentation fault when certificate contains extension
      longer than 512 bytes (LP #1912389)
      + d/p/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch:
        Skip certificate if loading fails.
      + d/p/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch:
        Make sure enough space is allocated for extensions longer than
        512 bytes.

 -- Sergio Durigan Junior <email address hidden> Tue, 11 Jan 2022 20:39:24 -0500

Changed in net-snmp (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.