agent icon indicating copy to clipboard operation
agent copied to clipboard

Published 20 hours ago verified publisher icon hetrixtools

Wget doesn't check certificate

Open savchenko opened this issue 6 years ago • 4 comments

In hetrixtools_agent.sh:

# Post data
wget -t 1 -T 30 -qO- --post-file="$ScriptPath/hetrixtools_agent.log" --no-check-certificate https://sm.hetrixtools.com/ &> /dev/null

What's the point of --no-check-certificate?..

sslyze --certinfo sm.hetrixtools.com:443 | grep -E 'Issuer|Status'
       Issuer:                            COMODO ECC Domain Validation Secure Server CA 2
       OCSP Response Status:              successful
       Cert Status:                       good

savchenko avatar Nov 01 '18 11:11 savchenko

Some systems that haven't installed or updated their CA certificates may run into SSL errors even when accessing valid SSL hosts. The --no-check-certificate is there to ensure maximum compatibility for our agent. Feel free to remove it in your agent, if you wish to do so; it should have no negative impact on most systems.

hetrixtools avatar Nov 01 '18 11:11 hetrixtools

I get your motivation, but to the best of my understanding this is welcoming MITM during agent deployment and data being posted to Hetrix.

savchenko avatar Nov 03 '18 06:11 savchenko

You may could add an switch like --ignore-cert-issues to the install code window, that user can use during deployment. By default the certificate should be checked against local root-ca

twiddern avatar Nov 02 '19 00:11 twiddern

Solution could be embed certificate like here: https://github.com/calmh/smartos-platform-upgrade/blob/master/platform-upgrade

foxycode avatar Mar 07 '20 16:03 foxycode