Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix client certs #240

Merged
merged 2 commits into from
Oct 16, 2023
Merged

Fix client certs #240

merged 2 commits into from
Oct 16, 2023

Conversation

mrinnetmaki
Copy link
Member

Or at least attempt to. The challenge is that the error we get only manifests in production environment.

Risk analysis

  • Risks of the implementation in this pull request have been analyzed with following results:
  • No significant risks.

Significance

  • Analysis, is the software change considered significant (ref. MDCG 2020-3, chart C), has been made with following result:
  • Not significant change, can be made to the product certified according MDD.
    • Reasons for the decision - No changes to product, only to security config

Security check-up

https://github.com/OWASP/www-project-top-ten/blob/master/index.md

  • A01:2021-Broken Access Control - Improves overall security config by using the client certificate feature in the way that's documented in the library.
  • A02:2021-Cryptographic Failures - No direct changes to crypto or sensitive data, but an improvement in PKI management.
  • A03:2021-Injection - No changes in data input or database code
  • A04:2021-Insecure Design - Not directly a change in design, but changing the implementation, to be more robust.
  • A05:2021-Security Misconfiguration - Improves overall security config by using the client certificate feature in the way that's documented in the library.
  • A06:2021-Vulnerable and Outdated Components - The original error causing this was due to an outdated component. This PR fixes the issue.
  • A07:2021-Identification and Authentication Failures - Improving the way our app is identified by Omatietovaranto.
  • A08:2021-Software and Data Integrity Failures - No changes to artifacts or build process.
  • A09:2021-Security Logging and Monitoring Failures - No changes to logging, no new needs identified.
  • A10:2021-Server-Side Request Forgery - No changes to URL or link processing or request handling.

@mrinnetmaki
Use documented config for certs
9d203f5 
We now get an error in production, connecting to Omatietovaranto. And the warning
> DeprecationWarning: Got: "options.key" was never documented, please use "options.https.key"
@mrinnetmaki
Set version to 1.4.26
1781b11
@mrinnetmaki mrinnetmaki merged commit 28b1fb1 into master Oct 16, 2023
2 checks passed
@mrinnetmaki
Copy link
Member Author

Superseded by #242. That's the real fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mrinnetmaki