summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Kozono <mkozono@gmail.com>2017-08-29 16:47:43 -0700
committerMichael Kozono <mkozono@gmail.com>2017-08-30 11:27:01 -0700
commitdd3e7ff036401b4c3b754a24bfdf9248ae8a8fe5 (patch)
tree5968190fe4af68daeaedf1a24f657f06d9d466cc
parentcbaa015cc9f55a387cdab85a6ba4b8c9c6ab447e (diff)
downloadgitlab-ce-dd3e7ff036401b4c3b754a24bfdf9248ae8a8fe5.tar.gz
Default LDAP config verify_certificates to true
Diffstat
-rw-r--r--config/gitlab.yml.example5
-rw-r--r--config/initializers/1_settings.rb17
-rw-r--r--doc/administration/auth/ldap.md9
3 files changed, 13 insertions, 18 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 25285525846..545c01e1156 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -273,9 +273,8 @@ production: &base
encryption: 'plain'
# Enables SSL certificate verification if encryption method is
- # "start_tls" or "simple_tls". (Defaults to false for backward-
- # compatibility)
- verify_certificates: false
+ # "start_tls" or "simple_tls". Defaults to true.
+ verify_certificates: true
# Specifies the path to a file containing a PEM-format CA certificate,
# e.g. if you need to use an internal CA.
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index abaabad5d65..360b72cdea3 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -155,18 +155,11 @@ if Settings.ldap['enabled'] || Rails.env.test?
server['encryption'] = 'simple_tls' if server['encryption'] == 'ssl'
server['encryption'] = 'start_tls' if server['encryption'] == 'tls'
- # Certificates are not verified for backwards compatibility.
- # This default should be flipped to true in 9.5.
- if server['verify_certificates'].nil?
- server['verify_certificates'] = false
-
- message = <<-MSG.strip_heredoc
- LDAP SSL certificate verification is disabled for backwards-compatibility.
- Please add the "verify_certificates" option to gitlab.yml for each LDAP
- server. Certificate verification will be enabled by default in GitLab 9.5.
- MSG
- Rails.logger.warn(message)
- end
+ # Certificate verification was added in 9.4.2, and defaulted to false for
+ # backwards-compatibility.
+ #
+ # Since GitLab 10.0, verify_certificates defaults to true for security.
+ server['verify_certificates'] = true if server['verify_certificates'].nil?
Settings.ldap['servers'][key] = server
end
diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md
index 425c924cdf2..d22815dfa5e 100644
--- a/doc/administration/auth/ldap.md
+++ b/doc/administration/auth/ldap.md
@@ -87,9 +87,12 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
encryption: 'plain'
# Enables SSL certificate verification if encryption method is
- # "start_tls" or "simple_tls". (Defaults to false for backward-
- # compatibility)
- verify_certificates: false
+ # "start_tls" or "simple_tls". Defaults to true since GitLab 10.0 for
+ # security. This may break installations upon upgrade to 10.0, that did
+ # not know their LDAP SSL certificates were not setup properly. For
+ # example, when using self-signed certificates, the ca_file path may
+ # need to be specified.
+ verify_certificates: true
# Specifies the path to a file containing a PEM-format CA certificate,
# e.g. if you need to use an internal CA.
View Lorry Controller Status