Merge pull request #2012 from opscode/mcquin/verify_peer_default

Change :ssl_verify_mode config default to :verify_peer

4 files changed, 14 insertions, 6 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d3b4d82d21..e5b7532632 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -133,6 +133,7 @@
   to be able to configure these settings on the bootstrapped node.
 * Add partial_search dsl method to Chef::Search::Query, add result filtering to search.
 * Transfer trusted certificates under :trusted_certs_dir during bootstrap.
+* Set :ssl_verify_mode to :verify_peer by default.
 
 ## Last Release: 11.14.2
 
diff --git a/lib/chef/config.rb b/lib/chef/config.rb
index 1963a95aab..74607e8368 100644
--- a/lib/chef/config.rb
+++ b/lib/chef/config.rb
@@ -331,10 +331,11 @@ class Chef
     default :ssl_client_cert, nil
     default :ssl_client_key, nil
 
-    # Whether or not to verify the SSL cert for all HTTPS requests. If set to
-    # :verify_peer, all HTTPS requests will be validated regardless of other
-    # SSL verification settings.
-    default :ssl_verify_mode, :verify_none
+    # Whether or not to verify the SSL cert for all HTTPS requests. When set to
+    # :verify_peer (default), all HTTPS requests will be validated regardless of other
+    # SSL verification settings. When set to :verify_none no HTTPS requests will
+    # be validated.
+    default :ssl_verify_mode, :verify_peer
 
     # Whether or not to verify the SSL cert for HTTPS requests to the Chef
     # server API. If set to `true`, the server's cert will be validated
diff --git a/spec/support/shared/functional/file_resource.rb b/spec/support/shared/functional/file_resource.rb
index 804830fcdc..72b72912bd 100644
--- a/spec/support/shared/functional/file_resource.rb
+++ b/spec/support/shared/functional/file_resource.rb
@@ -284,6 +284,7 @@ shared_examples_for "a file resource" do
 
     before do
       Chef::Config[:why_run] = true
+      Chef::Config[:ssl_verify_mode] = :verify_none
     end
 
     after do
@@ -333,6 +334,10 @@ shared_examples_for "file resource not pointing to a real file" do
     !symlink?(file_path) && File.file?(file_path)
   end
 
+  before do
+    Chef::Config[:ssl_verify_mode] = :verify_none
+  end
+
   describe "when force_unlink is set to true" do
     it ":create unlinks the target" do
       real_file?(path).should be_false
@@ -363,6 +368,7 @@ shared_examples_for "a configured file resource" do
 
   before do
     Chef::Log.level = :info
+    Chef::Config[:ssl_verify_mode] = :verify_none
   end
 
    # note the stripping of the drive letter from the tmpdir on windows
diff --git a/spec/unit/config_spec.rb b/spec/unit/config_spec.rb
index af71c43b77..41411669e6 100644
--- a/spec/unit/config_spec.rb
+++ b/spec/unit/config_spec.rb
@@ -242,8 +242,8 @@ describe Chef::Config do
           Chef::Config[:file_backup_path].should == backup_path
         end
 
-        it "Chef::Config[:ssl_verify_mode] defaults to :verify_none" do
-          Chef::Config[:ssl_verify_mode].should == :verify_none
+        it "Chef::Config[:ssl_verify_mode] defaults to :verify_peer" do
+          Chef::Config[:ssl_verify_mode].should == :verify_peer
         end
 
         it "Chef::Config[:ssl_ca_path] defaults to nil" do