[Patch] TLS/DTLS: inconsistent allowed_uses behaviour when in debug mode / not in debug mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
net-snmp (Fedora) |
Unknown
|
Unknown
|
|||
net-snmp (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Certificate allowed_uses are not indexed by net-snmp. As a result, the trustCert option works the first time snmpd is started, but fails thereafter.
In addition, there is no support for intermediate certificates (they are ignored) and as a result no possibility to use net-snmp with Let's Encrypt.
Steps to Reproduce:
1. Configure net-snmp for DTLS using localCert and trustCert.
2. Load net-snmp once with empty index.
3. Reload net-snmp.
Actual results:
trustCert is no longer recognised, as the "CA" flag is unindexed and missing.
Expected results:
trustCert works properly.
Additional info:
Patches to update net-snmp to fix this index issue, as well as to properly support CA certificates are available here:
https:/
https:/
https:/
https:/
https:/
Related branches
- Andreas Hasenack (community): Approve
- Canonical Server: Pending requested
-
Diff: 1374 lines (+1132/-4)7 files modifieddebian/changelog (+986/-0)
debian/control (+4/-3)
debian/patches/lp1945960-Fix-the-build-against-OpenSSL-3.0.patch (+33/-0)
debian/patches/lp1945960-configure-static-linking-Fix-SSL-checks.patch (+66/-0)
debian/patches/series (+2/-0)
debian/rules (+5/-1)
debian/source.apport (+36/-0)
tags: | added: patch |
affects: | nagios-plugins (Ubuntu) → net-snmp (Ubuntu) |
tags: | added: server-todo |
Thanks for the report. I've reassigned the bug to net-snmp, since this is not a nagios-plugins issue.
I'm also having a bit of trouble reproducing this one. I think I generated the certificates correctly by doing:
# net-snmp-cert genca -I -n hostname. example. com example. com --san DNS:snmpd. example. com example. com --csr snmpd
# net-snmp-cert gencsr -I -t snmpd -n hostname.
# net-snmp-cert signcsr -I --with-ca hostname.
# cd /etc/snmp/tls
# mv newcerts/*.crt certs/
# chmod a+r certs/* ca-certs/*
I also added the following lines to /etc/snmp/ snmpd.conf:
[snmp] localCert /etc/snmp/ tls/certs/ snmpd.crt tls/ca- certs/hostname. example. com.crt
[snmp] trustCert /etc/snmp/
The only debug mode I could find was passing -D to snmpd, so I edited snmpd.service to do that. I can't anything about trustCert on the logs, though.
Could you please provide a more detailed instruction on how to reproduce the failure?