Page MenuHomeVyOS Platform

SSTP wrong certificates check
Closed, ResolvedPublicBUG

Description

In python SSTP CLI handler we check certificate existence, but handler does not check this directory or file.
I propose to change os.path.exists() to os.path.isfile()
https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/vpn_sstp.py#L326-L336

if not os.path.isfile(sstp['ssl_ca']):
    file = sstp['ssl_ca']
    raise ConfigError(f'SSL CA certificate file "{file}" does not exist')

if not os.path.isfile(sstp['ssl_cert']):
    file = sstp['ssl_cert']
    raise ConfigError(f'SSL public key file "{file}" does not exist')

if not os.path.isfile(sstp['ssl_key']):
    file = sstp['ssl_key']
    raise ConfigError(f'SSL private key file "{file}" does not exist')

Related forum topic https://forum.vyos.io/t/sstp-with-win-10-clients/5560/8

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202006270117
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

@Dmitry Is it an actual task? Code was rewritten.

@Viacheslav I believe it is still actual for 1.3 https://github.com/vyos/vyos-1x/blob/equuleus/src/conf_mode/vpn_sstp.py#L60-L78
I saw we changed the PKI model only for 1.4. Implement PKI model for 1.3-epa1 a risky

erkin set Issue type to Improvement (missing useful functionality).Aug 29 2021, 2:00 PM
erkin removed a subscriber: Active contributors.
Dmitry changed the task status from Open to Needs testing.Sep 2 2021, 3:50 PM
Dmitry changed the task status from Needs testing to In progress.Wed, Nov 24, 6:17 PM
Dmitry claimed this task.
Dmitry changed the task status from In progress to Needs testing.EditedWed, Nov 24, 6:33 PM

Now certificate files existing should be checked via validator name="file-exists" which was fixed T3695
PR https://github.com/vyos/vyos-1x/pull/1082