cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Allow verification of the SSL cert that's used for SWIS API port (tcp/17778)

Allow verification of the SSL cert that's used for SWIS API port (tcp/17778)

Currently it's not possible to use any verification the SSL cert used by Orion on the SWIS API port (tcp/17778) due to it being a self-signed SSL cert with a CN of SolarWinds-Orion on all of the pollers in the solution (see Enabling SSL Certificate Verification for the SDK). This means that verification of the SSL connection is not possible, even if you save a copy of the SSL cert given the CN mismatch.

It would be wonderful Orion Core was updated so that the certificate used on the SWIS API port (tcp/17778) would be valid so that verification SSL connection was possible, by each server having it's own fqdn as the CN instead of SolarWinds-Orion.

It would be even better if the self-signed Cert could be replacement with a CA signed cert. This would also fix the constant SSL Cert warnings that are seen in the SWQL Studio.

10 Comments
Community Manager
Community Manager

I'd go one step further and request the ability (during the initial configuration wizard) to say "use my internal CA for certificate generation."

Maybe with a "what FQDN would you like to use for SolarWinds Orion" so that you could maybe do "orion.domain.local" as a registered certificate that could be used on the website.

Level 11

All of this would be very useful, and it was a read pain when setting up our platform, however I'm very much aiming to make it possible to prevent man in the middle attacks when using the SDK and clear out the many python warnings in our logs.

Community Manager
Community Manager

I know what you mean - being forced to use "ignore" commands get on my nerves, but I've had to use them all too often - I do think that this should be fixed.

Level 10

+1, it makes me sad doing this:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // SSL: certificate subject name 'SolarWinds-Orion' does not match target host name

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

I'd like to upvote +1 this feature/fix as a matter of urgency!

We've had to install a rather crude workaround for our corporate telecom client here in Austin, TX. Would like to see a more permanent fix for our client and how SWIS interacts with our Industrial Internet (IIoT) platform - we're using Python to connect on SWIS API port (TCP/17778).

Thanks,

Graeme

Graeme Cloughley, Chief Architect

Information Xchange Inc.

http://ixot.io

gcloughley@information-xchange.com

Level 7

Adding another request for this feature - We're unable to use the SWIS API currently, as our security policies mandate that no self-signed certificates be used.

This represents a fairly significant security flaw in SWIS and should be addressed immediately.

Level 8

Agreed, please work on this.

In PowerShell I need to remember to include the following lines to get information out of it:

#region PREWORK Disabling the certificate validations

add-type -TypeDefinition @"

    using System.Net;

    using System.Security.Cryptography.X509Certificates;

    public class TrustAllCertsPolicy : ICertificatePolicy {

        public bool CheckValidationResult(

            ServicePoint srvPoint, X509Certificate certificate,

            WebRequest request, int certificateProblem) {

            return true;

        }

    }

"@

[Net.ServicePointManager]::CertificatePolicy = New-Object -TypeName TrustAllCertsPolicy

#endregion PREWORK

Excel can't even by 'cheated' to ignore certificate issues:

SolarWinds-Excel-Query-CertError.png

Level 8

It appears current python will throw a new error, because the self-signed cert doesn't have subject-alternate names:

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for ae-lsw-01.aenetad.net has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)

  SubjectAltNameWarning

Traceback (most recent call last):

requests.exceptions.SSLError: hostname 'ae-lsw-01.aenetad.net' doesn't match u'SolarWinds-Orion'

Level 13

Bump!

Community Manager
Community Manager
Status changed to: Open for Voting