client-python icon indicating copy to clipboard operation
client-python copied to clipboard
verified publisher icon OpenCTI-Platform

OpenCTI pycti is configured to disable SSL verification which is producing warning logs

Open animedbz16 opened this issue 1 year ago • 3 comments

Description

Recently upgraded OpenCTI 5.12.21 to the latest OpenCTI version 6.0.8, we noticed some issues where essentially all of the OpenCTI connectors are now producing the following error / warning:

/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1103: InsecureRequestWarning: Unverified HTTPS request is being made to host '[opencti.<DOMAIN>.com](http://opencti.<DOMAIN>.com/)'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
  warnings.warn(

This error / warning seems to come from the underlying usage of how OpenCTI is leveraging various libraries that ultimately depend upon urllib3 which it appears that likely has been updated or changed its behavior to log warnings where specific HTTPS requests are not having their TLS Certificate verfied.

I placed a breakpoint() directly above this line of code /usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1103 and using the python debugger to understand the where in OpenCTI was ultimately calling / causing the issue:

(Pdb) where
  /opt/opencti-connector-cisa-known-exploited-vulnerabilities/main.py(338)<module>()
-> connector = Cisa()
  /opt/opencti-connector-cisa-known-exploited-vulnerabilities/main.py(31)__init__()
-> self.helper = OpenCTIConnectorHelper(config)
  /usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py(767)__init__()
-> self.api = OpenCTIApiClient(
  /usr/local/lib/python3.11/site-packages/pycti/api/opencti_api_client.py(200)__init__()
-> if perform_health_check and not self.health_check():
  /usr/local/lib/python3.11/site-packages/pycti/api/opencti_api_client.py(387)health_check()
-> test = self.query(
  /usr/local/lib/python3.11/site-packages/pycti/api/opencti_api_client.py(328)query()
-> r = [self.session.post](http://self.session.post/)(
  /usr/local/lib/python3.11/site-packages/requests/sessions.py(637)post()
-> return self.request("POST", url, data=data, json=json, **kwargs)
  /usr/local/lib/python3.11/site-packages/requests/sessions.py(589)request()
-> resp = self.send(prep, **send_kwargs)
  /usr/local/lib/python3.11/site-packages/requests/sessions.py(703)send()
-> r = adapter.send(request, **kwargs)
  /usr/local/lib/python3.11/site-packages/requests/adapters.py(486)send()
-> resp = conn.urlopen(
  /usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py(793)urlopen()
-> response = self._make_request(
  /usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py(467)_make_request()
-> self._validate_conn(conn)
> /usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py(1104)_validate_conn()
-> warnings.warn(

This code in pycti, the opencti_api_client is defaulting ssl_verify=False:

https://github.com/OpenCTI-Platform/client-python/blob/cd22e61dbbb3ae0985f913d649e2d9ba697d2970/pycti/api/opencti_api_client.py#L108

https://github.com/OpenCTI-Platform/client-python/blob/cd22e61dbbb3ae0985f913d649e2d9ba697d2970/pycti/api/opencti_api_client.py#L317-L335

The pycti, the opencti_connector_helper does not pass in a value for ssl_verify so in every case the default ssl_verify=False is being used:

https://github.com/OpenCTI-Platform/client-python/blob/cd22e61dbbb3ae0985f913d649e2d9ba697d2970/pycti/connector/opencti_connector_helper.py#L767-L780

In every connector, it looks like they all directly leverage the opencti_connector_helper to instantiate its connection to the OpenCTI platform API, so they all suffer from this issue.

When changing this ssl_verify=False to ssl_verify=True`, the issue appears to be resolved

Environment

  1. OS (where OpenCTI server runs): Docker
  2. OpenCTI version: {6.0.8
  3. OpenCTI client: N/A
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Run OpenCTI and secure it with a TLS certificate issued by your own Certificate Authority
  2. Build / Deploy OpenCTI connector containers with custom Dockerfile to copy / inject custom Certificate Authority Root certificate to be trusted by the container OS by placing the certificate into /usr/local/share/ca-certifictes/custom-ca.crt and running update-ca-certificates as this will ensure the custom CA is trusted by anything that will trust the underlying certificates loaded within the host / container.
  3. Start OpenCTI with connectors

Expected Output

OpenCTI connectors should be configured to perform TLS certificate verification

Actual Output

Warnings / Errors are produced to indicate the TLS certificate verification is not being performed which could pose a security issue as well as every request is creating a lot of logging.

Additional information

See above

Screenshots (optional)

animedbz16 avatar Apr 01 '24 15:04 animedbz16

Adding an additional comment to clarify:

Changing this ssl_verify=False to ssl_verify=True`, the issue appears to be resolved

https://github.com/OpenCTI-Platform/client-python/blob/cd22e61dbbb3ae0985f913d649e2d9ba697d2970/pycti/api/opencti_api_client.py#L108

However, changing this may cause issue or impact to OpenCTI instances which may be leveraging TLS with Self Signed certificates since when changing the ssl_verify=True, will cause a failure if the TLS certificate is not properly validated.

It seems that the connection should likely default to be secure ssl_verify=True, and then provide a way to disable this behavior through an environment variable for anyone who would require this verification to be disabled for whatever reason they need it to be.

I am not sure how OpenCTI would recommend this change be corrected, but as it stands now we are receiving millions of logging events with the InsecureRequestWarning across the multitude of connectors.

animedbz16 avatar Apr 01 '24 15:04 animedbz16

Looking at this a bit further, it seems that inside the OpenCTI Worker code / container, this leverages a 'OPENCTI_SSL_VERIFY' environment variable where this allows the user to specify this to ensure that the TLS verification occurs:

https://github.com/OpenCTI-Platform/opencti/blob/master/opencti-worker/src/worker.py#L454-L456

However, it seems that within specific connectors, they do not have a similar way to configure this feature, but seems like a good idea to support this feature in a similar way.

animedbz16 avatar Apr 03 '24 14:04 animedbz16

After internal discussions:

This is not intended and it should be configurable with the already existing parameter OPENCTI_SSL_VERIFY that is used later/on other calls: https://github.com/OpenCTI-Platform/client-python/blob/cd22e61dbbb3ae0985f913d649e2d9ba697d2970/pycti/connector/opencti_connector_helper.py#L670 opencti_connector_helper.py

SSL verification may be disabled by default but enabling should definitely be possible

nino-filigran avatar Apr 04 '24 07:04 nino-filigran

Is it possible to have a quick follow up about the discussions of this issue? I see it was closed then reopened

lndrtrbn avatar Jun 05 '24 07:06 lndrtrbn