GIT-2927: Fixed lack of updates to trusted CA lists (Fixes #2927) #3006
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
farhatahmad
approved these changes
Dec 14, 2021
|
Kudos, SonarCloud Quality Gate passed!
|
thifranc
pushed a commit
to thifranc/greenlight
that referenced
this pull request
Dec 27, 2021
…Fixes bigbluebutton#2927) (bigbluebutton#3006) Co-authored-by: Ahmad Farhat <[email protected]>
|
Migration from Greenlight Customized 2.5 to Greenlight 3 Failed Steps done rake Migration tasks file was added RUBY_VERSION=2.5.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Many users had experienced some connectivity error with external services.
The error log is "OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate))" which indicates that an HTTPS connection was closed because of a fail during x509 certificate verification.
The issues cause is the expiration of the DST Root CA X3 Let's encrypt root certificate.
As mentioned here Let's encrypt has also a newer Root certificate ISRG Root X1 which after the expiration of DST becomes the only valid certificate.
Greenlight (GL) requires the use of http client to use some external services (BigBlueButton,OmniAuth providers,...).
Some gems (dependencies) in the GL application simplifies the communication with external APIs and comes with their own dependencies.
Some of which depends on faraday and others on httpclient.
The faraday gem has faraday-net_http which is the adapter to the Net::HTTP that is used for example by the bigbluebutton-api-ruby.
The faraday adapter by default uses the OpenSSL::X509::Store as its default store to trusted CA list.
This raises an issue for some of the users who use an old docker image since their Openssl trusted root certificates is old which leads any https connection to any server (including but not limited to BigBlueButton servers) with a x509 certificate issued by Let's encrypt to break.
Second issue happens for another subset of users who may have an up to date openssl CA list but still experience some problems (including but not limited to OmniAuth),this subset may have a problem because of the httpclient gem that uses an old (from 2015) Mozilla CA list.
Testing Steps
Solution
For HTTPClient: we fetch the latest Mozilla cacert.pem securely on docker image build.
For Net::HTTP: we enforce the update of the openssl certs on image build.
Screenshots (if appropriate):