search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.35k stars 159 forks source link

Certificate chain not being completely by tomcat container? #210

Closed djinnsec closed 3 months ago

djinnsec commented 1 year ago

To get the vectr application running we uploaded the certificate in this format: ;;;; -----BEGIN CERTIFICATE----- (Your Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: DigiCertCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: TrustedRoot.crt) -----END CERTIFICATE-----

When using openssl to verify the chain we get the following: Command : openssl s_client -connect 127.0.0.1:443 -servername {REDACTED} vectr@vectr:/opt/vectr$ openssl s_client -connect 127.0.0.1:443 -servername {REDACTED} -showcerts CONNECTED(00000005) depth=0 C = {REDACTED} verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = {REDACTED } verify error:num=21:unable to verify the first certificate verify return:1

Certificate chain 0 s:C = {REDACTED} i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 -----BEGIN CERTIFICATE----- blahbla -----END CERTIFICATE-----

Server certificate {REDACTED issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2444 bytes and written 421 bytes Verification error: unable to verify the first certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: A40C1259A3E01608EE479CB9745C1F731F434A4B087D858074B8525B3E7513E6 Session-ID-ctx: Master-Key: 92983D997BD18627B385B073483290C633C2148CF3F242E3730EDFB5009728A8E5217DB9991D88901B2610BD5ECB7032 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 8b 68 34 07 24 55 5f c3-45 99 0f 1f c6 e8 99 2d .h4.$U.E......- 0010 - db 97 d8 b4 ce 01 c1 96-d9 63 ef 51 2c ce 64 85 .........c.Q,.d. 0020 - 88 1d 80 e7 a6 a5 90 3a-9a 9b e9 c0 fa 6b d6 ae .......:.....k.. 0030 - 7f 6c 89 6f 2c 5c 48 30-78 f8 7e 3b fc 90 0f 1d .l.o,\H0x.~;.... 0040 - e5 22 9b cb c7 7c e4 8e-a6 a4 14 96 c0 c6 59 71 ."...|........Yq 0050 - 33 b3 a4 00 9e 99 8f f9-4c b1 a6 80 0d 5f 3d 85 3.......L....=. 0060 - 50 21 d5 5a fb 6f 03 ef-f3 14 d9 81 f0 33 df fd P!.Z.o.......3.. 0070 - 99 8f 5b 65 0d 02 ad 63-8b 68 7c 59 9d e9 8b 22 ..[e...c.h|Y..." 0080 - 03 70 c7 ca c5 9b af 87-4e 41 f1 c6 9c fe 7f bd .p......NA...... 0090 - dc c9 08 1a a9 65 b4 40-89 c3 0d 2a 2a a1 08 13 .....e.@...**... 00a0 - 84 9e 50 b5 07 70 ea c8-91 21 a6 72 c4 24 f0 fa ..P..p...!.r.$.. 00b0 - ca ac fd 90 e9 d3 d4 b7-1d dd e4 6b da 0e 3a 9e ...........k..:. 00c0 - 30 a1 80 14 0a 86 9b 96-d5 8e 99 2f 79 ac 60 f1 0........../y.`. 00d0 - a5 99 dc dd 6e 6e f0 2f-1b f3 9b 07 0f 74 ce 5b ....nn./.....t.[

Start Time: 1673533809
Timeout   : 7200 (sec)
**Verify return code: 21 (unable to verify the first certificate)**
Extended master secret: yes

It seems the full certificate chain is not being sent via the tomcat server. Could someone point me to how to get this resolved?

SRAPSpencer commented 1 year ago

Currently certificate chains are not supported. I'll make a feature request to have this added.

If you'd like to attempt to get it working with the existing build I'd advise you to look into the bind mount to get the certificates in, but I'm not confident this would work.

https://docs.vectr.io/ssl/SSL_Certificates/#installing-ssl-artifacts

TomTervoort commented 1 year ago

+1 on this issue. When we want to provide blue teams access to our VECTR instance we can't ask them to install custom CA certificates or to skip certificate warnings. However, when installing a standard WebPKI certificate chain (e.g. via LetsEncrypt) it will not work in their browsers because of the missing intermediate certificate.

Currently, we're working around this by putting a TLS terminating reverse proxy in front of the Tomcat server, but it would be very useful if we could just configure the whole chain in VECTR instead.

martindube commented 4 months ago

I would also need this feature :pray:

thebleucheese commented 3 months ago

cert termination is being migrated to the caddy webserver in 9.2 (release target in approximately 1 month). see caddy docs for details on cert chain & cert termination. VECTR UI & environment configuration will only support cert / key for simple use cases. Any advanced configuration in the future will need to be done on the caddy container following best practices for configuring that application. This will make advanced SSL configuration follow modern best practices. Marking as will not fix in VECTR < 9.2