kura
kura copied to clipboard
Kura not Accessible if Default Certificates Deleted
Kudos to @mstankovic for finding this issue. I am adding it here so we have a sepparate issue for it (for easier tracking). If user uninstall both default certificates there is no way to access Kura anymore. BUT if user has enabled HTTP service prior to this (and added port 80 in the firewall), Kura is still accessible (even through HTTPS).
Testflow:
- Login to Kura as admin/admin
- Go to Security -> delete both default certificates
- Refresh page and observe how Kura is not accessible anymore.
Testflow No. 2:
- Login to Kura as admin/admin
- Go to Certificates, enable HTTP Service
- Go to Firewall, open port 80 in the firewall
- Go to Certificates, delete both defaul certificates
- Refresh page and observe the behaviour - Kura is still accessible
Expected behavior N/A
Screenshot: /
Target Environment (please complete the following information):
- Board: Raspberry Pi 3
- OS version: Linux raspberrypi 5.4.72-v7+ 1356 SMP Thu Oct 22 13:56:54 BST 2020 armv7l GNU/Linux
- Tested branch: PR #3143
Additional context As stated above, this issue has been found on branch PR 3143 and not on latest develop branch.
Won't fix.
Can we provide a reason why we are not fixing? Is that because it's not reproducible?
Now after a certificate remotion, if the certificate is in the httpskeystore, a refresh in the httpservice is triggered. Regarding the problem that the user can still access through https, it is related to the handling of JSESSIONID and @nicolatimeus and are are working on it.
@salvatore-coppola Are we done with this issue and the one you were mentioning for the JSESSIONID?
@MMaiero we have moved this issue from the securiy ui fixes to generic ui fixes. At the moment i think this is not a real security problem, but we need to discuss about it.
@salvatore-coppola Is this still open?
@MMaiero i'll do a check