diff options
author | danielsdeleo <dan@getchef.com> | 2014-03-21 16:07:02 -0700 |
---|---|---|
committer | danielsdeleo <dan@getchef.com> | 2014-03-24 12:17:03 -0700 |
commit | ed0dc002f86ba2ea0a35b7f73f42397914e99e50 (patch) | |
tree | 546d1347f678ce910cec2052242ae5141be42840 /lib/chef/client.rb | |
parent | 6eaaea33a61658bae7cc224cdd2eb0db74413efc (diff) | |
download | chef-ed0dc002f86ba2ea0a35b7f73f42397914e99e50.tar.gz |
Check SSL configuration once per client run.
We want to ensure users see this. Also add a longer description of the
risks of the verify_none setting and a pointer to `knife ssl check` for
troubleshooting help. The warning message looks like this:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.
To fix this issue add an entry like this to your configuration file:
```
# Verify all HTTPS connections (recommended)
ssl_verify_mode :verify_peer
# OR, Verify only connections to chef-server
verify_api_cert true
```
To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:
```
knife ssl check -c /etc/chef/client.rb
```
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** * * * *
Diffstat (limited to 'lib/chef/client.rb')
-rw-r--r-- | lib/chef/client.rb | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/lib/chef/client.rb b/lib/chef/client.rb index 12e32350d1..2e5963e996 100644 --- a/lib/chef/client.rb +++ b/lib/chef/client.rb @@ -311,10 +311,6 @@ class Chef # === Returns # rest<Chef::REST>:: returns Chef::REST connection object def register(client_name=node_name, config=Chef::Config) - if config[:ssl_verify_mode] == :verify_none && !config[:verify_api_cert] - Chef::Log.warn "SSL validation of Chef API Endpoint is disabled, " \ - "set verify_api_cert to true or ssl_verify_mode to :verify_peer to enable." - end if !config[:client_key] @events.skipping_registration(client_name, config) Chef::Log.debug("Client key is unspecified - skipping registration") @@ -405,6 +401,9 @@ class Chef # don't add code that may fail before entering this section to be sure to release lock begin runlock.save_pid + + check_ssl_config + request_id = Chef::RequestID.instance.request_id run_context = nil @events.run_start(Chef::VERSION) @@ -493,6 +492,37 @@ class Chef Chef::ReservedNames::Win32::Security.has_admin_privileges? end + def check_ssl_config + if Chef::Config[:ssl_verify_mode] == :verify_none and !Chef::Config[:verify_api_cert] + Chef::Log.warn(<<-WARN) + +* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * +SSL validation of HTTPS requests is disabled. HTTPS connections are still +encrypted, but chef is not able to detect forged replies or man in the middle +attacks. + +To fix this issue add an entry like this to your configuration file: + +``` + # Verify all HTTPS connections (recommended) + ssl_verify_mode :verify_peer + + # OR, Verify only connections to chef-server + verify_api_cert true +``` + +To check your SSL configuration, or troubleshoot errors, you can use the +`knife ssl check` command like so: + +``` + knife ssl check -c #{Chef::Config.config_file} +``` + +* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * +WARN + end + end + end end |