search

Ericsson / codechecker

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy
https://codechecker.readthedocs.io
Apache License 2.0
2.23k stars 374 forks source link

‘CodeChecker server’ Enforces secure socket (SSL) failed #2859

Open lipeng28 opened 4 years ago

lipeng28 commented 4 years ago

Hi There

I created the cert.pem and key.pem according to the link:https://medium.com/@KentaKodashima/generate-pem-keys-with-openssl-on-macos-ecac55791373. When I placed these two pems under ws folder, and applied the command "CodeChecker server -w ./ws -v 8555", I encountered the following error, can you please advise what the problem is and how to resolve it?

Thanks Peng

[WARNING 2020-07-23 15:27] - './ws/server_config.json' is readable by users other than you! This poses a risk of leaking sensitive information, such as passwords, session tokens, etc.! Please 'chmod 0600 ./ws/server_config.json' so only you can access the file. [INFO 2020-07-23 15:27] - Garbage collection for product 'Default' started... [INFO 2020-07-23 15:27] - Garbage collection finished. [INFO 2020-07-23 15:27] - Initiating SSL. Server listening on secure socket. [ERROR 2020-07-23 15:27] - Couldn't start the server: [SSL] PEM lib (_ssl.c:3824) Traceback (most recent call last): File "/Users/xxx/CodeChecker-byd/build/CodeChecker/cc_bin/CodeChecker.py", line 130, in main args.func(args) File "/Users/xxx/CodeChecker-byd/build/CodeChecker/cc_bin/../lib/python3/codechecker_server/cmd/server.py", line 433, in __handle main(args) File "/Users/xxx/CodeChecker-byd/build/CodeChecker/cc_bin/../lib/python3/codechecker_server/cmd/server.py", line 1009, in main server_init_start(args) File "/Users/xxx/CodeChecker-byd/build/CodeChecker/cc_bin/../lib/python3/codechecker_server/cmd/server.py", line 992, in server_init_start environ) File "/Users/xxx/CodeChecker-byd/build/CodeChecker/lib/python3/codechecker_server/server.py", line 1100, in start_server manager) File "/Users/xxx/CodeChecker-byd/build/CodeChecker/lib/python3/codechecker_server/server.py", line 837, in init certfile=ssl_cert_file) File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.7/lib/python3.7/ssl.py", line 1216, in wrap_socket context.load_cert_chain(certfile, keyfile) ssl.SSLError: [SSL] PEM lib (_ssl.c:3824)

gyorb commented 4 years ago

Hi,

If you try to use the generated cert files with a minimal example mentioned here: https://docs.python.org/3/library/ssl.html#socket-creation Can it load the certificates?

Can it load the self signed certificates generated like this: https://docs.python.org/3/library/ssl.html#self-signed-certificates

lipeng28 commented 4 years ago

Hi @gyorb yes, after I use the command in this link : https://docs.python.org/3/library/ssl.html#self-signed-certificates, I may load the self signed certificate, and think the server is launched successfully. The output is shown as follow:

[INFO 2020-07-29 21:48] - Garbage collection for product 'Default' started... [INFO 2020-07-29 21:48] - Garbage collection finished. [INFO 2020-07-29 21:48] - Initiating SSL. Server listening on secure socket. [INFO 2020-07-29 21:48] - Server waiting for client requests on [localhost:8555]

However, when I ran “CodeChecker store ./reports --name xxx --url https://localhost:8555/Default”, I got the following error: [ERROR 2020-07-29 22:03] - Connection failed. [ERROR 2020-07-29 22:03] - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056) [ERROR 2020-07-29 22:03] - Check if your CodeChecker server is running.

Any idea about it?

gyorb commented 4 years ago

Hi,

Do you want to setup a developer server or some user facing server? I'm just asking it because the self signed certificates should only be used for development or testing. The store client produces that error because the rootCA generated into the self signed certificate is not found by the store client when it checks the for the rootCA on your machine.

lipeng28 commented 4 years ago

Hi, @gyorb eventually I want to setup some user facing server. Right now if I am working on a testing server, can you please advise how I could avoid this issue? Thanks Peng

gyorb commented 4 years ago

Hi,

For local testing and development I think the easiest way to generate the certificates to use the mkcert tool. It will install a root CA on your system and you can create certificates signed by that root CA. What you can do is to setup a local dev server:

# generate the codechecker workspace
CodeChecker server -w workspace
# generate the certificates signed by the mkcert dev root CA
mkcert -key-file ./workspace/key.pem -cert-file ./workspace/cert.pem 127.0.0.1
# start the codechecker server (the certs were generated for 127.0.0.1)
CodeChecker server -w workspace --host 127.0.0.1

After that you should be able to check the page through https in the browser and store results like this:

CodeChecker store ./reports --url https://127.0.0.1:8001/Default -n testing

For a user facing setup you can use nginx http://nginx.org/en/docs/http/configuring_https_servers.html nginx is configured to use the certificates and does the tls termination. It can forward the traffic to one or multiple CodeChecker servers, and can do rate limiting too. You might need to tweak the nginx configuration a bit to allow the larger file uploads if a lot of reports are uploaded.

kenroser commented 3 years ago

I would actually like to leave my server running with a self-signed certificate. Is there away to allow stores to the server without hitting the [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056) error. The developers using this server can use these certs by making an exception in their browser. Why can't the store code do the same in some fashion?

csordasmarton commented 3 years ago

@kenroser How did you generated your self-signed certificate? Could you please describe your steps/commands so I can reproduce this problem.

kenroser commented 3 years ago

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 I then put these pem files in my server workspace directory and started the server

csordasmarton commented 3 years ago

@kenroser I created a patch where you will be able to specifiy certificates for the client: #3267.

For example you can use the following command to store the results: CodeChecker store ./reports -n myrun --tlscacert cert.pem

Please try it out and give us feedback whether it solves your problem.

kenroser commented 3 years ago

I applied the patch and it does exactly what I needed. Thank you so much.

geeksmith commented 1 year ago

I applied the patch to the latest today. Only a few hunks failed, minor effort required to resolve them. Would love to see this change merged as it makes testing a lot easier while not ignoring certificate validation altogether.