From 7e09fa58fc039d5aabdb4f041c03668797479093 Mon Sep 17 00:00:00 2001
From: Phil Dibowitz <phil@ipom.com>
Date: Thu, 15 Jan 2015 14:35:36 -0800
Subject: Suppress SSL warnings if I know what I'm doing

---
 CHANGELOG.md             | 2 ++
 DOC_CHANGES.md           | 3 +++
 RELEASE_NOTES.md         | 5 +++++
 lib/chef/client.rb       | 2 +-
 lib/chef/config.rb       | 2 ++
 spec/unit/config_spec.rb | 4 ++++
 6 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf7c3d9dc3..426b70c224 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,8 @@
 * [**Tim Smith**](https://github.com/tas50)
   Typo fixes
 * [Pull 2505](https://github.com/opscode/chef/pull/2505) Make Chef handle URIs in a case-insensitive manner
+* [**Phil Dibowitz**](https://github.com/jaymzh):
+  Let people disable SSL warnings.
 
 ### Chef Contributions
 * ruby 1.9.3 support is dropped
diff --git a/DOC_CHANGES.md b/DOC_CHANGES.md
index 7429baca2a..55b56ac407 100644
--- a/DOC_CHANGES.md
+++ b/DOC_CHANGES.md
@@ -35,3 +35,6 @@ The `--audit-mode` flag should be a link to the documentation for that flag
 
 This probably only needs to be a bullet point added to http://docs.getchef.com/nodes.html#about-why-run-mode under the
 `certain assumptions` section
+
+## Suppress SSL Warnings
+There is now a `suppress_ssl_warnings` config to suppress the SSL warnings.
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 43c8f06d93..d5c0e5024d 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -64,6 +64,11 @@ The package resource on OpenBSD is wired up to use the new OpenBSD package provi
 
 Previously, when a URI scheme contained all uppercase letters, Chef would reject the URI as invalid. In compliance with RFC3986, Chef now treats URI schemes in a case insensitive manner.
 
+## Suppress SSL Warnings
+You can now disable SSL warnings with `suppress_ssl_warnings true` in your
+config. These warnings are here for a reason, so be sure you know what you
+are doing.
+
 # Chef Client Release Notes 12.0.0:
 
 # Internal API Changes in this Release
diff --git a/lib/chef/client.rb b/lib/chef/client.rb
index 77f63671d7..9fe45b77df 100644
--- a/lib/chef/client.rb
+++ b/lib/chef/client.rb
@@ -530,7 +530,7 @@ class Chef
     end
 
     def check_ssl_config
-      if Chef::Config[:ssl_verify_mode] == :verify_none and !Chef::Config[:verify_api_cert]
+      if Chef::Config[:ssl_verify_mode] == :verify_none and !Chef::Config[:verify_api_cert] and !Chef::Config[:suppress_ssl_warnings]
         Chef::Log.warn(<<-WARN)
 
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
diff --git a/lib/chef/config.rb b/lib/chef/config.rb
index 453a8f83da..f65b9a010f 100644
--- a/lib/chef/config.rb
+++ b/lib/chef/config.rb
@@ -352,6 +352,8 @@ class Chef
     # be validated.
     default :ssl_verify_mode, :verify_peer
 
+    default :suppress_ssl_warnings, false
+
     # Whether or not to verify the SSL cert for HTTPS requests to the Chef
     # server API. If set to `true`, the server's cert will be validated
     # regardless of the :ssl_verify_mode setting. This is set to `true` when
diff --git a/spec/unit/config_spec.rb b/spec/unit/config_spec.rb
index ed2003e8bf..4ca3c588fd 100644
--- a/spec/unit/config_spec.rb
+++ b/spec/unit/config_spec.rb
@@ -246,6 +246,10 @@ describe Chef::Config do
           expect(Chef::Config[:ssl_verify_mode]).to eq(:verify_peer)
         end
 
+        it "Chef::Config[:suppress_ssl_warnings] defaults to false" do
+          expect(Chef::Config[:ssl_verify_mode]).to eq(false)
+        end
+
         it "Chef::Config[:ssl_ca_path] defaults to nil" do
           expect(Chef::Config[:ssl_ca_path]).to be_nil
         end
-- 
cgit v1.2.1


From d93bda662722486b1dc160adef764095a3b03b80 Mon Sep 17 00:00:00 2001
From: Phil Dibowitz <phil@ipom.com>
Date: Thu, 15 Jan 2015 15:34:40 -0800
Subject: Fix unittest

---
 spec/unit/config_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/unit/config_spec.rb b/spec/unit/config_spec.rb
index 4ca3c588fd..4cae31b98c 100644
--- a/spec/unit/config_spec.rb
+++ b/spec/unit/config_spec.rb
@@ -247,7 +247,7 @@ describe Chef::Config do
         end
 
         it "Chef::Config[:suppress_ssl_warnings] defaults to false" do
-          expect(Chef::Config[:ssl_verify_mode]).to eq(false)
+          expect(Chef::Config[:suppress_ssl_warnings]).to eq(false)
         end
 
         it "Chef::Config[:ssl_ca_path] defaults to nil" do
-- 
cgit v1.2.1


From d29a38eb258c006bec566fac30f142aeae0c9e36 Mon Sep 17 00:00:00 2001
From: Phil Dibowitz <phil@ipom.com>
Date: Fri, 16 Jan 2015 14:16:31 -0800
Subject: Drop the SSL warning now that we have a safe default

---
 CHANGELOG.md             |  2 +-
 DOC_CHANGES.md           |  5 +++--
 RELEASE_NOTES.md         |  7 +++----
 lib/chef/client.rb       | 33 ---------------------------------
 lib/chef/config.rb       |  2 --
 spec/unit/config_spec.rb |  4 ----
 6 files changed, 7 insertions(+), 46 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 426b70c224..64c35d257b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,7 +20,7 @@
   Typo fixes
 * [Pull 2505](https://github.com/opscode/chef/pull/2505) Make Chef handle URIs in a case-insensitive manner
 * [**Phil Dibowitz**](https://github.com/jaymzh):
-  Let people disable SSL warnings.
+  Drop SSL warnings now that we have a safe default
 
 ### Chef Contributions
 * ruby 1.9.3 support is dropped
diff --git a/DOC_CHANGES.md b/DOC_CHANGES.md
index 55b56ac407..dbe79478f5 100644
--- a/DOC_CHANGES.md
+++ b/DOC_CHANGES.md
@@ -36,5 +36,6 @@ The `--audit-mode` flag should be a link to the documentation for that flag
 This probably only needs to be a bullet point added to http://docs.getchef.com/nodes.html#about-why-run-mode under the
 `certain assumptions` section
 
-## Suppress SSL Warnings
-There is now a `suppress_ssl_warnings` config to suppress the SSL warnings.
+## Drop SSL Warnings
+Now that the default for SSL checking is on, no more warning is emitted when SSL
+checking is off.
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index d5c0e5024d..329f55555b 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -64,10 +64,9 @@ The package resource on OpenBSD is wired up to use the new OpenBSD package provi
 
 Previously, when a URI scheme contained all uppercase letters, Chef would reject the URI as invalid. In compliance with RFC3986, Chef now treats URI schemes in a case insensitive manner.
 
-## Suppress SSL Warnings
-You can now disable SSL warnings with `suppress_ssl_warnings true` in your
-config. These warnings are here for a reason, so be sure you know what you
-are doing.
+## Drop SSL Warnings
+Now that the default for SSL checking is on, no more warning is emitted when SSL
+checking is off.
 
 # Chef Client Release Notes 12.0.0:
 
diff --git a/lib/chef/client.rb b/lib/chef/client.rb
index 9fe45b77df..3d9678ea31 100644
--- a/lib/chef/client.rb
+++ b/lib/chef/client.rb
@@ -419,8 +419,6 @@ class Chef
       begin
         runlock.save_pid
 
-        check_ssl_config
-
         request_id = Chef::RequestID.instance.request_id
         run_context = nil
         @events.run_start(Chef::VERSION)
@@ -529,37 +527,6 @@ class Chef
       Chef::ReservedNames::Win32::Security.has_admin_privileges?
     end
 
-    def check_ssl_config
-      if Chef::Config[:ssl_verify_mode] == :verify_none and !Chef::Config[:verify_api_cert] and !Chef::Config[:suppress_ssl_warnings]
-        Chef::Log.warn(<<-WARN)
-
-* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-SSL validation of HTTPS requests is disabled. HTTPS connections are still
-encrypted, but chef is not able to detect forged replies or man in the middle
-attacks.
-
-To fix this issue add an entry like this to your configuration file:
-
-```
-  # Verify all HTTPS connections (recommended)
-  ssl_verify_mode :verify_peer
-
-  # OR, Verify only connections to chef-server
-  verify_api_cert true
-```
-
-To check your SSL configuration, or troubleshoot errors, you can use the
-`knife ssl check` command like so:
-
-```
-  knife ssl check -c #{Chef::Config.config_file}
-```
-
-* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-WARN
-      end
-    end
-
   end
 end
 
diff --git a/lib/chef/config.rb b/lib/chef/config.rb
index f65b9a010f..453a8f83da 100644
--- a/lib/chef/config.rb
+++ b/lib/chef/config.rb
@@ -352,8 +352,6 @@ class Chef
     # be validated.
     default :ssl_verify_mode, :verify_peer
 
-    default :suppress_ssl_warnings, false
-
     # Whether or not to verify the SSL cert for HTTPS requests to the Chef
     # server API. If set to `true`, the server's cert will be validated
     # regardless of the :ssl_verify_mode setting. This is set to `true` when
diff --git a/spec/unit/config_spec.rb b/spec/unit/config_spec.rb
index 4cae31b98c..ed2003e8bf 100644
--- a/spec/unit/config_spec.rb
+++ b/spec/unit/config_spec.rb
@@ -246,10 +246,6 @@ describe Chef::Config do
           expect(Chef::Config[:ssl_verify_mode]).to eq(:verify_peer)
         end
 
-        it "Chef::Config[:suppress_ssl_warnings] defaults to false" do
-          expect(Chef::Config[:suppress_ssl_warnings]).to eq(false)
-        end
-
         it "Chef::Config[:ssl_ca_path] defaults to nil" do
           expect(Chef::Config[:ssl_ca_path]).to be_nil
         end
-- 
cgit v1.2.1