Kibana doesn't properly trust server certificates with an empty Subject #57009
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Kibana version: 7.6 and below
Original install method (e.g. download page, yum, from source, etc.): source
Describe the bug: Kibana doesn't properly establish trust for server certificates that have an empty Subject and a valid Subject Alternative Name (SAN). This problem can be encountered any place in Kibana that establishes an outbound HTTPS connection.
Steps to reproduce:
Script to generate such a certificate
Expected behavior: Kibana should connect to Elasticsearch and properly trust the TLS certificate. According to RFC 5280 section 4.1.2.6, an end-entity certificate does not have to have a Subject set to be valid.
Provide logs and/or server output (if relevant): As described above, this problem can be encountered any place in Kibana that establishes an outbound HTTPS connection. The specific error message is:
Hostname/IP does not match certificate's altnames: Cert is empty
. Sample server output:Any additional context: Kibana relies on the Node platform for TLS certificate validation. This problem was identified in nodejs/node#11771 and fixed in nodejs/node#22906. The fix is applied to Node version 13.3.0+ and 12.14.1+. However, Kibana currently uses Node 10.19.x.
The text was updated successfully, but these errors were encountered: