From 568012edd874a497b925fa2611a3da2a8c866a31 Mon Sep 17 00:00:00 2001 From: Ashwathi Shiva <56001041+ashwathishiva@users.noreply.github.com> Date: Thu, 25 Jun 2020 16:50:51 -0400 Subject: [PATCH] Preflight openssl verify (#438) * verify only server cert, not intermediate certs at this point --- pkg/preflight/verify_ca.go | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/pkg/preflight/verify_ca.go b/pkg/preflight/verify_ca.go index b90df962..34627349 100644 --- a/pkg/preflight/verify_ca.go +++ b/pkg/preflight/verify_ca.go @@ -93,25 +93,30 @@ func (qp *QliksensePreflight) extractCertAndVerify(server string, caCertificates // Get the ConnectionState struct as that's the one which gives us x509.Certificate struct x509Certificates := conn.ConnectionState().PeerCertificates + var serverCert *x509.Certificate if len(x509Certificates) == 0 { return fmt.Errorf("no server certificates retrieved from the server") } - if len(x509Certificates) > 1 { - return fmt.Errorf("more than 1 server certificate retrieved from the server") + // we retrieve and verify the server certificate, we ignore intermediate certificates at this point. + for _, x509Cert := range x509Certificates { + if !x509Cert.IsCA { + serverCert = x509Cert + break + } + } + if serverCert == nil { + return fmt.Errorf("no valid server certificates retrieved from the server") } - // execute verify cmd roots := x509.NewCertPool() - ok := roots.AppendCertsFromPEM([]byte(caCertificates)) - if !ok { + if ok := roots.AppendCertsFromPEM([]byte(caCertificates)); !ok { return fmt.Errorf("failed to parse root certificate.") } opts := x509.VerifyOptions{ - Roots: roots, - DNSName: u.Hostname(), - Intermediates: x509.NewCertPool(), + Roots: roots, + DNSName: u.Hostname(), } - if _, err := x509Certificates[0].Verify(opts); err != nil { + if _, err := serverCert.Verify(opts); err != nil { return fmt.Errorf("failed to verify certificate: " + err.Error()) } return nil