diff options
| author | Igor Drozdov <idrozdov@gitlab.com> | 2022-01-12 17:15:18 +0300 |
|---|---|---|
| committer | Igor Drozdov <idrozdov@gitlab.com> | 2022-01-12 17:19:44 +0300 |
| commit | 537f8e192908172863e93a97871409a8f043c292 (patch) | |
| tree | d2ecf7d0eecc4dfea41ca7b1590d2a21db16620f | |
| parent | 4989011bedc7c33aa49cdac3c230ae9fdcdb49fd (diff) | |
| download | gitlab-shell-id-deprecate-self-signed-cert.tar.gz | |
Deprecate self_signed_cert config settingid-deprecate-self-signed-cert
The option isn't required to accept self-signed certs
On the other hand, if the option set to true it makes
machine-in-the-middle attack possible
Let's clarify it in the code that the option is deprecated
| -rw-r--r-- | client/httpclient.go | 5 | ||||
| -rw-r--r-- | config.yml.example | 5 |
2 files changed, 9 insertions, 1 deletions
diff --git a/client/httpclient.go b/client/httpclient.go index 7b8a35c..5bbfbce 100644 --- a/client/httpclient.go +++ b/client/httpclient.go @@ -162,7 +162,10 @@ func buildHttpsTransport(hcc httpClientCfg, selfSignedCert bool, gitlabURL strin } } tlsConfig := &tls.Config{ - RootCAs: certPool, + RootCAs: certPool, + // The self_signed_cert config setting is deprecated + // The field and its usage is going to be removed in + // https://gitlab.com/gitlab-org/gitlab-shell/-/issues/541 InsecureSkipVerify: selfSignedCert, MinVersion: tls.VersionTLS12, } diff --git a/config.yml.example b/config.yml.example index 5662d2e..4db258b 100644 --- a/config.yml.example +++ b/config.yml.example @@ -26,6 +26,11 @@ http_settings: # password: somepass # ca_file: /etc/ssl/cert.pem # ca_path: /etc/pki/tls/certs +# +# The self_signed_cert option is deprecated +# When it's set to true, any certificate is accepted, which may make machine-in-the-middle attack possible +# Certificates specified in ca_file and ca_path are trusted anyway even if they are self-signed +# Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/120 self_signed_cert: false # File used as authorized_keys for gitlab user |