Open originalsouth opened 1 month ago
Problem is that the kat IPv6 is not aggregated to boefjes sub-containers. If network="nl-kat-coordination_default"
is given as an argument to the docker run (inside a boefje the problems are resolved). Thanks @noamblitz for digging through this.
Pending on #2833
--- a/boefjes/boefjes/plugins/kat_ssl_certificates/main.py
+++ b/boefjes/boefjes/plugins/kat_ssl_certificates/main.py
@@ -31,6 +31,7 @@ def run(boefje_meta: BoefjeMeta) -> list[tuple[set, bytes | str]]:
hostname,
],
remove=True,
+ network="nl-kat-coordination_default",
)
except docker.errors.ContainerError as e:
output = f"error {str(e)}"
Would be a temporary workaround
--- a/boefjes/boefjes/plugins/kat_ssl_certificates/main.py +++ b/boefjes/boefjes/plugins/kat_ssl_certificates/main.py @@ -31,6 +31,7 @@ def run(boefje_meta: BoefjeMeta) -> list[tuple[set, bytes | str]]: hostname, ], remove=True, + network="nl-kat-coordination_default", ) except docker.errors.ContainerError as e: output = f"error {str(e)}"
Would be a temporary workaround
Only for the development setup and this would fail for production setups, because those won't have a network called "nl-kat-coordination_default"
Describe the bug The
kat_ssl_certificates
-boefje is broken for IPv6 resulting in:To Reproduce Steps to reproduce the behavior:
On a clean install with IPv6 support enable these boefjes
Create aan URL OOI for a TLS supporting IPv6 enabled domain like openkat.nl
Get coffee
See a successful SSLCertificates passed task with empty content
See a wrong finding
Screenshots In case the of metaplus.kennisnet.nl:
Case study In
docker exec --privileged -u 0 -it nl-kat-coordination-boefje-1 bash
runningopenssl s_client -host 2a00:d00:123:456:62:204:64:191 -port 443 -prexit -showcerts -servername "openkat.nl"
yields:Where
docker run alpine/openssl:latest s_client -host 2a00:d00:123:456:62:204:64:191 -port 443 -prexit -showcerts -servername "openkat.nl"
yields:Which is what the
kat_ssl_certificates
-boefje is using https://github.com/minvws/nl-kat-coordination/blob/929b44326887d5ded90f1f444b67e7f9e9570237/boefjes/boefjes/plugins/kat_ssl_certificates/main.py#L5 and thus might possibly be in need for replacement. The behavior is similar for other hosts in the same scenario.Expected behavior Retrieve Certificate for IPv6 successfully and fail the task if the retrieval was unsuccessful.
OpenKAT version main (b93157de143adfb01cdab9495b49cf7cb16594f8)
Desktop:
Linux computer 6.10.6-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:05 +0000 x86_64 GNU/Linux