falco
falco copied to clipboard
falcosecurity
libcurl error: SSL peer certificate or SSH remote key was not OK
This is a copy of falcosecurity/libs#441
An update of FALCOSECURITY_LIBS_VERSION in cmake/modules/falcosecurity-libs-repo/CMakeLists.txt file is needed when the issue will be closed.
Describe the bug
When using Falco, installed with a prebuild, using HTTP output and the Falco Sidekick, deployed behind HTTPs with a wildcard certificate, libcurl fail to verify the certificate, therefore fail to send data when an alert is triggered.
The logged error:
Jun 29 14:58:42 falco2 falco: libcurl error: SSL peer certificate or SSH remote key was not OK
Jun 29 14:58:42 falco2 falco[90738]: Wed Jun 29 16:58:42 2022: libcurl error: SSL peer certificate or SSH remote key was not OK
How to reproduce it
Install a prebuild version of Falco.
Deploy a Sidekick behind HTTPs.
Configure Falco to output to the Sidekick.
Trigger some events by touching a file in /root i.e.
Expected behaviour
libcurl should be able to verify these certificate with the default certificate collection (/etc/ssl/certs for Ubuntu i.e.).
Fixing method
After investigation, I found that the problem was the configuration flags of libcurl when Falco/FalcoLibs are compiled in bundled mode.
The 2 flags are --without-ca-bundle and --without-ca-path in the curl.cmake CMake module.
I already did the PR to fix it.
Environment
- Falco version: 0.32.0
- OS: Ubuntu
- Kernel: 5.4.0-X
- Installation method: DEB / RPM / tar.gz
Additional context
Linked to https://github.com/falcosecurity/libs/pull/442. This should already be part of Falco's master since the libraries hash has been bumped recently.
the issue still persists for us on 0.32.2. Is there any workaround or fix?
the issue still persists for us on 0.32.2. Is there any workaround or fix?
Falco 0.33.0 is the latest release which should include the changes mentioned above. Please attempt using Falco 0.33.0 and let us know!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.