Use HTTPS for updates
Upon installing an update on a FreeNAS system, I noticed the following in /var/log/debug.log
Aug 28 08:57:38 HOSTNAME updated.py: [freenasOS.Configuration:767] TryGetNetworkFile([u'http://update.ixsystems.com/FreeNAS/Packages/base-os-9.10.2-U6-f6fe96f39c77c8db48c23815e290c103.tgz', u'http://update-master.ixsystems.com/FreeNAS/Packages/base-os-9.10.2-U6-f6fe96f39c77c8db48c23815e290c103.tgz']): Read 29360128 bytes
This seems to be a pretty clear indication that FreeNAS is insecurely checking for updates. (Note the use of "HTTP" instead of "HTTPS").
FreeNAS should update itself in a secure manner. While the update mechanism appears to check the signature of the downloaded update:
Aug 28 09:02:03 HOSTNAME updated.py: [freenasOS.Manifest:448] Verify command = ['/usr/local/libexec/verify_signature', '-K', '/usr/local/share/certs/Production.pem', '-C', '/usr/local/share/certs/iX-CA.pem', '-S', u'DkFKkgqcePwGMZ9JkZxg0bzUCYAvl0aOXjqicTqgVSMbji2q4GGh6UD/NXoMTmOlDxCl66Q6jCY1Sj6calFtExMg2NYR2jWgTRvY7f1qBDsk9oez5IBD6eRiqtqlvJhLylHVRztVIhGMgzg7p9t82wn9yqRBPaNV5gAw19KeHmeJYlI2ISAS/0NDBWtAdo3OeZh2zp0lWwoqXIkhih6GSBZFMc6klcxGUgGFLlbpwtClt7EvlJl3FhIYq5CpuyuLVggL1IgWKN1qv9Xd789VUDMefyQ6CM3zTzsHlpd4ZHzHOzkV9kfHluNNRYIGU96mmBxm2PMNZJoWDaTFoj5fhw==', '-R', '/tmp/tmphy0KCB.pem'] Aug 28 09:02:03 HOSTNAME updated.py: [freenasOS.Manifest:464] Signature check succeeded
using an insecure channel (HTTP) for updates still may leave open the possibility of an attacker to perform a "downgrade" or other attack. Even just the process of checking for updates could put a system at risk, e.g. if FreeNAS doesn't sanitize the data obtained from e.g. <http://update-master.ixsystems.com/FreeNAS/FreeNAS
In order to support https for the update sites, I needed to
switch to a different module/package for handling the downloads.
The requests package is already in the system, and appears to
handle the cases I want.
(cherry picked from commit 8039c24785f8d0abdb384af995321f489b267588)
#4 Updated by Dru Lavigne almost 2 years ago
- Tracker changed from Purchase Requests to Bug
- Project changed from SysAdmin to FreeNAS
- Category changed from IT Infrastructure to Forums/Websites
- Status changed from Closed: Not To Be Fixed to Unscreened
- Seen in set to 11.0-U2
- Hide from ChangeLog set to No
- ChangeLog Required set to No
- Needs QA set to Yes
- QA Status Not Tested added
#8 Updated by Ross Morris over 1 year ago
Kris Moore wrote:
I'll work with David to see when we can get https:// across the board enabled.
Hi Kris! Would that include www.freenas.org as well or would that be better covered in a new issue? I went to look up something on the website and was quite saddened to see https:// redirect to http:// instead of the other way around
I noticed we did have https support for the mirrors, so I made a PR and asked William to review it.
master PR: https://github.com/freenas/freenas-pkgtools/pull/12
followup master PR: https://github.com/freenas/freenas-pkgtools/pull/13
11.2 PR: https://github.com/freenas/freenas-pkgtools/pull/15
revised master PR: https://github.com/freenas/freenas-pkgtools/pull/16