search

gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
40 stars 23 forks source link

Missing failure reason if server TLS does not validate #197

Closed bernhardreiter closed 2 years ago

bernhardreiter commented 2 years ago

If finding data fails because of the TLS certificate of the HTTPS server cannot be validated, there is no hint in the output.

User will want to know what the reason for the failure ist.

Expectation: See a TLS certificate validation error message, so that the user can inquire further.

Reproduce

Observations:

~/csaf_distribution-git/bin-linux-amd64/csaf_downloader --version
0.9.2-51-g8998e2c
 ~/csaf_distribution-git/bin-linux-amd64/csaf_downloader localhost
2022/06/23 10:37:01 Looking for provider-metadata.json of 'localhost': https://localhost/.well-known/csaf/provider-metadata.json not found.
2022/06/23 10:37:01 Looking for provider-metadata.json of 'localhost': https://localhost/.well-known/security.txt failed to load.
2022/06/23 10:37:01 Looking for provider-metadata.json of 'localhost': https://csaf.data.security.localhost not found.

 ~/csaf_distribution-git/bin-linux-amd64/csaf_downloader localhost --verbose
2022/06/23 10:37:20 [GET]: https://localhost/.well-known/csaf/provider-metadata.json
2022/06/23 10:37:20 Looking for provider-metadata.json of 'localhost': https://localhost/.well-known/csaf/provider-metadata.json not found.
# [..]
/csaf_distribution-git/bin-linux-amd64/csaf_downloader localhost --verbose --insecure
# works

~/csaf_distribution-git/bin-linux-amd64/csaf_checker localhost
        {
          "num": 7,
          "description": "provider-metadata.json",
          "messages": [
            {
              "type": 1,
              "text": "https://localhost/.well-known/csaf/provider-metadata.json not found."
            },
            {
              "type": 1,
              "text": "https://localhost/.well-known/security.txt failed to load."
            },
            {
              "type": 1,
              "text": "https://csaf.data.security.localhost not found."
            },
            {
              "type": 2,
              "text": "No valid provider-metadata.json found."
            },
            {
              "type": 2,
              "text": "STOPPING here - cannot perform other checks."
            }
          ]
        },

Expectation: a message should contain the TLS validation error.

Here is a good example from curl, trying to access one of the urls:

 curl https://localhost/.well-known/csaf/provider-metadata.json
curl: (60) SSL certificate problem: self signed certificate in certificate chain
bernhardreiter commented 2 years ago

A warning comes from the downloader, if a URL is given instead of a domain, e.g.

csaf_downloader https://localhost:9443/.well-known/csaf-aggregator/local-dev-provider2/provider-metadata.json
2022/06/23 15:07:41 Error fetching 'https://localhost:9443/.well-known/csaf-aggregator/local-dev-provider2/provider-metadata.json': Get "https://localhost:9443/.well-known/csaf-aggregator/local-dev-provider2/provider-metadata.json": x509: certificate signed by unknown authority
2022/06/23 15:07:41 error: no provider-metadata.json found for 'https://localhost:9443/.well-known/csaf-aggregator/local-dev-provider2/provider-metadata.json

0.9.2-38-g0b19782

For a domain the same message is missing.

s-l-teichmann commented 2 years ago

I would guess I has something to do with the silencing of the load error in csaf.LoadProviderMetadataFromURL. Same in csaf.LoadProviderMetadatasFromSecurity.