[chef] Re: Re: chef-provisioning configuration for winrm w/ ssl-transport (and self signed certs)

[Daniel DeLeo < >]

On Thursday, October 1, 2015 at 12:26 PM, Chris McClimans wrote:
> In order for ssl to work, we need to tell ssl that it's ok that
> ssl_subject CN doesn't match the ip.
> Any thoughts on how to proceed?

I’m not sure about WinRM, but for HTTP, you would only want to disable this 
check temporarily while you’re figuring things out, or if you’ve convinced 
yourself there’s no way you can be MITM’d.  

For example, with what you’re suggesting, an attacker could hijack your local 
DNS so that it sends requests for amazon.com to my server, and have their 
server give you a certificate for a totally different website (which itself 
could be legit).

>  
> https://github.com/ii/chef-provisioning-aws/pull/2/files#r40951990
>  
> #[19] pry(#<Chef::Provisioning::AWSDriver::Driver>)>
> endpoint.split('/')[2].split(':').first
> # => "10.113.70.104"
> # [20] pry(#<Chef::Provisioning::AWSDriver::Driver>)>
> machine_spec.reference[:winrm_ssl_subject]
> # => "IP-0A714668"
> #
> # [1] pry(#<Chef::Provisioning::AWSDriver::Driver>)>
> Chef::Provisioning::Transport::WinRM.new("#{endpoint}", type,
> winrm_options, {}).execute('hostname')
> # OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error:
> certificate verify failed
> # from 
> /home/hh/.rvm/gems/ruby-2.2.0/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:307:in
> `connect'
> # [2] pry(#<Chef::Provisioning::AWSDriver::Driver>)> wtf!
> # Exception: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0
> state=error: certificate verify failed
> # --
> # 0: 
> /home/hh/.rvm/gems/ruby-2.2.0/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:307:in
> `connect'
> # 1: 
> /home/hh/.rvm/gems/ruby-2.2.0/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:307:in
> `ssl_connect'
> # 2: 
> /home/hh/.rvm/gems/ruby-2.2.0/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:755:in
> `block in connect'
> # 3: /home/hh/.rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/timeout.rb:89:in
> `block in timeout'
> # 4: /home/hh/.rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/timeout.rb:99:in `call'
> # 5: /home/hh/.rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/timeout.rb:99:in 
> `timeout'
> # 6: /home/hh/.rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/timeout.rb:125:in 
> `timeout'
> # 8: 
> /home/hh/.rvm/gems/ruby-2.2.0/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:612:in
> `query'
> # 9: 
> /home/hh/.rvm/gems/ruby-2.2.0/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:164:in
> `query'
> # [3] pry(#<Chef::Provisioning::AWSDriver::Driver>)> winrm_options
> # => {:user=>"Administrator",
> # :pass=>"(xntd8f=-HNnuJ3",
> # :disable_sspi=>false,
> # :basic_auth_only=>false,
> # :no_ssl_peer_verification=>false,

This looks like the setting you’d change here, but disabling this should not 
be the default if there is any other way.
  
> # 
> :ca_trust_path=>"/home/hh/provisioning/.chef/trusted_certs/base-2012-hardened-6.crt"}




--  
Daniel DeLeo