Pagekite.py 0.5.9, CA trust issue

By Bjarni Rúnar 2016-11-22, 10:58

Version 0.5.9 of pagekite.py has been released and is available for download.

This is a critical update, please upgrade as soon as possible!

Highlights since version 0.5.8:

• Fix how pagekite.py loads CA certificates (critical)
• Add --fe_nocertcheck, --whitelabel and --whitelabels arguments
• Create vipagekite for safer configuration editing

The latter two features will be discussed in future blog posts, please read on for information on the critical Certificate Authority trust issue.

The CA trust issue

This release of pagekite.py fixes a critical bug in how pagekite.py verifies the authenticity of the relays and other servers, including dynamic DNS. Note that although this post focuses on the impact on PageKite.net users, the same flaw may also have caused problems for people using TLS certificates with their own relay infrastructure.

Pagekite.py uses TLS security to protect the integrity and confidentiality of its connections to the PageKite.net servers, and until recently the PageKite service TLS certificate were signed by StartCom. Unfortunately, due to a breach of trust, StartCom is no longer a trusted certificate authority and we are in the process of changing our certificates as a result.

Normally changing certificates and Certificate Authorities would be a routine upgrade, but due to a bug in the pagekite.py default configuration, certificates signed by any authority other than StartCom will fail to validate. This update corrects that flaw.

The StartCom-signed certificate we use to secure the PageKite tunnels will last for two more years, but the certificate used to validate our dynamic DNS service expires later this week - on the 26th of November.

Impact Timeline

November 26, 2016: old versions of pagekite.py will no longer be able to update DNS records.

Most of the time, this will cause no problems. However, in the event of network outages or server downtime, PageKite's ability to adapt and migrate to a different relay will be impaired - even if pagekite.py establishes a new tunnel connection

Late 2018: old versions of pagekite.py will stop working completely.

At this point, our last certificate from StartCom will have expired and instances of pagekite.py that have neither been upgraded or reconfigured will go off-line. The exact date for this event is currently unknown; the certificate itself expires on December 27th, 2018, but we may need to change certificates sooner if other issues come up.

Solutions

The preferred solution is to upgrade to pagekite.py 0.5.9 or later.

If an upgrade is infeasible, a configuration change can also be used to work around the issue; by adding the following line to your configuration (after the defaults line, if it is present):

ca_certs=/etc/ssl/certs/ca-certificates.crt

Notes:

• Edit ~/.pagekite.rc if you are using pagekite.py from the CLI or GUI on Linux or OS X
• Edit pagekite.cfg if you are using pagekite.py on Windows.
• Edit /etc/pagekite.d/20_frontends.rc if you are using the Debian (or RPM) package.
• The actual certificate store path depends on your operating system, please check and adapt as necessary.
• If your operating system does not provide a certificate authority bundle, you can download one from the cURL home page