OpenSSL certificate verify failed about nexpose-client HOT 7 OPEN

What style of multi-line string are using? Does it result in added line breaks or other white space? If you compare the output of the multi-line string to the raw certificate input you originally captured, do they match?

from nexpose-client.

@trust_cert = "-----BEGIN CERTIFICATE-----\n"\
    "line1\n"\
    "line2\n"\
    "line3\n"\
    ...
    "-----END CERTIFICATE-----\n"

I've also loaded it from the saved file (which was made as per the example) with the same result. There is a small difference in the way I have to pull it though, where i have to use "SSLv2/v3" for the ssl_version.

from nexpose-client.

What OS are you running this script on?
What version of Ruby are you using?
What version of OpenSSL is being used by Ruby? You can use this to check:

require 'openssl'
puts OpenSSL::OPENSSL_LIBRARY_VERSION

from nexpose-client.

I've tried it on both Windows 10 Enterprise and Kali Rolling (4.14.17-1kali1 (2018-02-16) x86_64 GNU/Linux)
Both are running IRB 0.9.6 with Nexpose gem 7.2.0

Windows has OpenSSL 1.0.2o
Linux has OpenSSL 1.1.0h
Both say the date on OpenSSL is 27 Mar 2018

from nexpose-client.

Sorry I haven't had a chance to attempt to re-create this issue myself, but in the mean time are you using the default self-signed certificate in the console or one that has been signed by a CA (internal or otherwise)?

If the latter, I think you may need to import the root/intermediate certificate rather than the endpoint certificate. If you need to import a certificate chain (multiple intermediates) then it may not work with the code we have today. 😞

from nexpose-client.

The cert is signed by an internal CA so we don't have to deal with Chrome's warning every time we go to the WebUI. The root cert is imported to my system already - are you saying that I need to import it via Ruby?

from nexpose-client.

Yeah, unfortunately due to how the SSL/TLS stuff is setup in the gem the default is to ignore all validation (i.e. trust everything). The trust_cert feature was added to support trusting self-signed certificates, and I don't know that it will work for CA-signed certificates. Based on the code it seems it expects a single certificate, and even with the endpoint certificate supplied I think OpenSSL still wants to validate the chain. Also in this case it is setting the trust store to be the single certificate supplied, so you can't even rely on the default system trust store because it's not being used.

If you need this really soon you could try monkey-patching the code that sets up the OpenSSL context in the gem. That code is in 3 places:

• nexpose-client/lib/nexpose/api_request.rb

  Lines 34 to 44 in 74e5564

  	@http.use_ssl = true
  	#
  	# XXX: This is obviously a security issue, however, we handle this at the client level by forcing
  	# a confirmation when the nexpose host is not localhost. In a perfect world, we would present
  	# the server signature before accepting it, but this requires either a direct callback inside
  	# of this module back to whatever UI, or opens a race condition between accept and attempt.
  	if @trust_store.nil?
  	@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
  	else
  	@http.cert_store = @trust_store
  	end

• nexpose-client/lib/nexpose/ajax.rb

  Lines 139 to 144 in 74e5564

  	http.use_ssl = true
  	if nsc.trust_store.nil?
  	http.verify_mode = OpenSSL::SSL::VERIFY_NONE
  	else
  	http.cert_store = nsc.trust_store
  	end

• nexpose-client/lib/nexpose/connection.rb

  Lines 139 to 144 in 74e5564

  	http.use_ssl = true
  	if @trust_store.nil?
  	http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX: security issue
  	else
  	http.cert_store = @trust_store
  	end

Otherwise if you want to take a stab at changing the trust_cert feature to support the full chain or combine with the system trust store (i.e. instance a new trust store that takes in certs from both system and script input) we can probably get changes merged and released fairly quick.

I can look into it more later, but unfortunately I don't have a lot of time available to work on this currently so I can't promise any timeline for updating it myself.

from nexpose-client.