search

louislam / uptime-kuma

A fancy self-hosted monitoring tool
https://uptime.kuma.pet
MIT License
55.77k stars 5.01k forks source link

Dealing with revoked certificates #1254

Open ccoenen opened 2 years ago

ccoenen commented 2 years ago

⚠️ Please verify that this feature request has NOT been suggested before.

🏷️ Feature Request Type

Other

πŸ”– Feature description

Uptime Kuma checks the time until certificates expire. It could also check for the validity based on their revocation status.

βœ”οΈ Solution

On top of alerting for outdated certs, it should also alert for revoked certs.

❓ Alternatives

No response

πŸ“ Additional Context

Let's encrypt is in the process of revoking a number of certificates this week. The issued certificates would still be before their expiration date, but will nonetheless be causing security warnings for clients. This can't be fully avoided with this, but at least one would not be notified by users/clients but from the monitoring system.

More context: https://www.bleepingcomputer.com/news/security/lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days/

While this supposed future enhancement will not help with this week's problem, it might help mitigate a potential future similar incident.

kfeina commented 5 months ago

Hello,

Is there any plan to implement the revoke certificate check?

Thanks a lot.

CommanderStorm commented 5 months ago

I think the same arguments as in node apply: https://github.com/nodejs/node/issues/16338 Seems like the security people have spoken that implementing this system is not sensible. => If they don't think doing so adds extra value we also should not spend the effort, or am I missing something?

I read https://scotthelme.co.uk/revocation-is-broken/ there is no real way to do what is being asked in this issue. OCSP might help but is not perfect.

As it currently stands there is a real problem, we can't revoke certificates if someone obtains our private key.

If someone wants to look into OCSP Stapling, we would be open to a PR. Our contribution guide is here. Note that you can likely provide your CRL via the mechanisms in node if the risks noted in https://github.com/nodejs/node/issues/16338 are fine for you.

kfeina commented 5 months ago

Hello again,

Maybe we miss the oportunity to check revoked certificates. I mean, something was revoked but we can not detect it with our monitoring tool (in this case uptime kuma). .

I understand this is a technical difficult problem, but I can't help programming it cause I don't have the required skills. I could only help in the testing steps.

Maybe OCSP stapling is the correct way to check it and forget CRL and OCSP?

Thanks a lot for your time.