typedb-driver icon indicating copy to clipboard operation
typedb-driver copied to clipboard

Published 20 hours ago verified publisher icon typedb

Invalid root CA successfully connects to cluster

Open flyingsilverfin opened this issue 3 years ago • 2 comments

Description

We expect that using the wrong or invalid root ca certificate to make an encrypted connection to cluster, it can succeed.

Environment

  1. OS (where TypeDB server runs): Ubuntu
  2. TypeDB version (and platform): TypeDB cluster 2.1.2

Tested in the Factory cluster environment

Reproducible Steps

  1. Test that a correct certificate works ./typedb console --cluster=typedb-cluster-0:1729 --username=admin --password--tls-enabled --tls-root-ca=<path to correct root ca>

confirm that

> database list

works

  1. copy the certificate and replace last line with all x's ./typedb console --cluster=typedb-cluster-0:1729 --username=admin --password--tls-enabled --tls-root-ca=`

confirm that

> database list

still works! When it should not...

Note that the way this was tested may end up with some gRPC magic that notices that a correct ssl certificate was used form the same origin before??

flyingsilverfin avatar Jun 29 '21 10:06 flyingsilverfin

The handling of the CA is entirely up to gRPC since the only thing we do is passing the file path down to the gRPC server.

It looks suspicious indeed that a modified root CA can still be used so it's likely a bug. However I want to read up a bit on it before making an issue on their side.

lolski avatar Oct 14 '21 10:10 lolski

Still occurs with latest Console, Cluster.

Can also be reproduced by simply renaming the root CA file.

alexjpwalker avatar Jan 11 '23 09:01 alexjpwalker