From 7e09fa58fc039d5aabdb4f041c03668797479093 Mon Sep 17 00:00:00 2001 From: Phil Dibowitz Date: Thu, 15 Jan 2015 14:35:36 -0800 Subject: Suppress SSL warnings if I know what I'm doing --- CHANGELOG.md | 2 ++ DOC_CHANGES.md | 3 +++ RELEASE_NOTES.md | 5 +++++ lib/chef/client.rb | 2 +- lib/chef/config.rb | 2 ++ spec/unit/config_spec.rb | 4 ++++ 6 files changed, 17 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf7c3d9dc3..426b70c224 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,8 @@ * [**Tim Smith**](https://github.com/tas50) Typo fixes * [Pull 2505](https://github.com/opscode/chef/pull/2505) Make Chef handle URIs in a case-insensitive manner +* [**Phil Dibowitz**](https://github.com/jaymzh): + Let people disable SSL warnings. ### Chef Contributions * ruby 1.9.3 support is dropped diff --git a/DOC_CHANGES.md b/DOC_CHANGES.md index 7429baca2a..55b56ac407 100644 --- a/DOC_CHANGES.md +++ b/DOC_CHANGES.md @@ -35,3 +35,6 @@ The `--audit-mode` flag should be a link to the documentation for that flag This probably only needs to be a bullet point added to http://docs.getchef.com/nodes.html#about-why-run-mode under the `certain assumptions` section + +## Suppress SSL Warnings +There is now a `suppress_ssl_warnings` config to suppress the SSL warnings. diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 43c8f06d93..d5c0e5024d 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -64,6 +64,11 @@ The package resource on OpenBSD is wired up to use the new OpenBSD package provi Previously, when a URI scheme contained all uppercase letters, Chef would reject the URI as invalid. In compliance with RFC3986, Chef now treats URI schemes in a case insensitive manner. +## Suppress SSL Warnings +You can now disable SSL warnings with `suppress_ssl_warnings true` in your +config. These warnings are here for a reason, so be sure you know what you +are doing. + # Chef Client Release Notes 12.0.0: # Internal API Changes in this Release diff --git a/lib/chef/client.rb b/lib/chef/client.rb index 77f63671d7..9fe45b77df 100644 --- a/lib/chef/client.rb +++ b/lib/chef/client.rb @@ -530,7 +530,7 @@ class Chef end def check_ssl_config - if Chef::Config[:ssl_verify_mode] == :verify_none and !Chef::Config[:verify_api_cert] + if Chef::Config[:ssl_verify_mode] == :verify_none and !Chef::Config[:verify_api_cert] and !Chef::Config[:suppress_ssl_warnings] Chef::Log.warn(<<-WARN) * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * diff --git a/lib/chef/config.rb b/lib/chef/config.rb index 453a8f83da..f65b9a010f 100644 --- a/lib/chef/config.rb +++ b/lib/chef/config.rb @@ -352,6 +352,8 @@ class Chef # be validated. default :ssl_verify_mode, :verify_peer + default :suppress_ssl_warnings, false + # Whether or not to verify the SSL cert for HTTPS requests to the Chef # server API. If set to `true`, the server's cert will be validated # regardless of the :ssl_verify_mode setting. This is set to `true` when diff --git a/spec/unit/config_spec.rb b/spec/unit/config_spec.rb index ed2003e8bf..4ca3c588fd 100644 --- a/spec/unit/config_spec.rb +++ b/spec/unit/config_spec.rb @@ -246,6 +246,10 @@ describe Chef::Config do expect(Chef::Config[:ssl_verify_mode]).to eq(:verify_peer) end + it "Chef::Config[:suppress_ssl_warnings] defaults to false" do + expect(Chef::Config[:ssl_verify_mode]).to eq(false) + end + it "Chef::Config[:ssl_ca_path] defaults to nil" do expect(Chef::Config[:ssl_ca_path]).to be_nil end -- cgit v1.2.1 From d93bda662722486b1dc160adef764095a3b03b80 Mon Sep 17 00:00:00 2001 From: Phil Dibowitz Date: Thu, 15 Jan 2015 15:34:40 -0800 Subject: Fix unittest --- spec/unit/config_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/unit/config_spec.rb b/spec/unit/config_spec.rb index 4ca3c588fd..4cae31b98c 100644 --- a/spec/unit/config_spec.rb +++ b/spec/unit/config_spec.rb @@ -247,7 +247,7 @@ describe Chef::Config do end it "Chef::Config[:suppress_ssl_warnings] defaults to false" do - expect(Chef::Config[:ssl_verify_mode]).to eq(false) + expect(Chef::Config[:suppress_ssl_warnings]).to eq(false) end it "Chef::Config[:ssl_ca_path] defaults to nil" do -- cgit v1.2.1 From d29a38eb258c006bec566fac30f142aeae0c9e36 Mon Sep 17 00:00:00 2001 From: Phil Dibowitz Date: Fri, 16 Jan 2015 14:16:31 -0800 Subject: Drop the SSL warning now that we have a safe default --- CHANGELOG.md | 2 +- DOC_CHANGES.md | 5 +++-- RELEASE_NOTES.md | 7 +++---- lib/chef/client.rb | 33 --------------------------------- lib/chef/config.rb | 2 -- spec/unit/config_spec.rb | 4 ---- 6 files changed, 7 insertions(+), 46 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 426b70c224..64c35d257b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,7 @@ Typo fixes * [Pull 2505](https://github.com/opscode/chef/pull/2505) Make Chef handle URIs in a case-insensitive manner * [**Phil Dibowitz**](https://github.com/jaymzh): - Let people disable SSL warnings. + Drop SSL warnings now that we have a safe default ### Chef Contributions * ruby 1.9.3 support is dropped diff --git a/DOC_CHANGES.md b/DOC_CHANGES.md index 55b56ac407..dbe79478f5 100644 --- a/DOC_CHANGES.md +++ b/DOC_CHANGES.md @@ -36,5 +36,6 @@ The `--audit-mode` flag should be a link to the documentation for that flag This probably only needs to be a bullet point added to http://docs.getchef.com/nodes.html#about-why-run-mode under the `certain assumptions` section -## Suppress SSL Warnings -There is now a `suppress_ssl_warnings` config to suppress the SSL warnings. +## Drop SSL Warnings +Now that the default for SSL checking is on, no more warning is emitted when SSL +checking is off. diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index d5c0e5024d..329f55555b 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -64,10 +64,9 @@ The package resource on OpenBSD is wired up to use the new OpenBSD package provi Previously, when a URI scheme contained all uppercase letters, Chef would reject the URI as invalid. In compliance with RFC3986, Chef now treats URI schemes in a case insensitive manner. -## Suppress SSL Warnings -You can now disable SSL warnings with `suppress_ssl_warnings true` in your -config. These warnings are here for a reason, so be sure you know what you -are doing. +## Drop SSL Warnings +Now that the default for SSL checking is on, no more warning is emitted when SSL +checking is off. # Chef Client Release Notes 12.0.0: diff --git a/lib/chef/client.rb b/lib/chef/client.rb index 9fe45b77df..3d9678ea31 100644 --- a/lib/chef/client.rb +++ b/lib/chef/client.rb @@ -419,8 +419,6 @@ class Chef begin runlock.save_pid - check_ssl_config - request_id = Chef::RequestID.instance.request_id run_context = nil @events.run_start(Chef::VERSION) @@ -529,37 +527,6 @@ class Chef Chef::ReservedNames::Win32::Security.has_admin_privileges? end - def check_ssl_config - if Chef::Config[:ssl_verify_mode] == :verify_none and !Chef::Config[:verify_api_cert] and !Chef::Config[:suppress_ssl_warnings] - Chef::Log.warn(<<-WARN) - -* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -SSL validation of HTTPS requests is disabled. HTTPS connections are still -encrypted, but chef is not able to detect forged replies or man in the middle -attacks. - -To fix this issue add an entry like this to your configuration file: - -``` - # Verify all HTTPS connections (recommended) - ssl_verify_mode :verify_peer - - # OR, Verify only connections to chef-server - verify_api_cert true -``` - -To check your SSL configuration, or troubleshoot errors, you can use the -`knife ssl check` command like so: - -``` - knife ssl check -c #{Chef::Config.config_file} -``` - -* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -WARN - end - end - end end diff --git a/lib/chef/config.rb b/lib/chef/config.rb index f65b9a010f..453a8f83da 100644 --- a/lib/chef/config.rb +++ b/lib/chef/config.rb @@ -352,8 +352,6 @@ class Chef # be validated. default :ssl_verify_mode, :verify_peer - default :suppress_ssl_warnings, false - # Whether or not to verify the SSL cert for HTTPS requests to the Chef # server API. If set to `true`, the server's cert will be validated # regardless of the :ssl_verify_mode setting. This is set to `true` when diff --git a/spec/unit/config_spec.rb b/spec/unit/config_spec.rb index 4cae31b98c..ed2003e8bf 100644 --- a/spec/unit/config_spec.rb +++ b/spec/unit/config_spec.rb @@ -246,10 +246,6 @@ describe Chef::Config do expect(Chef::Config[:ssl_verify_mode]).to eq(:verify_peer) end - it "Chef::Config[:suppress_ssl_warnings] defaults to false" do - expect(Chef::Config[:suppress_ssl_warnings]).to eq(false) - end - it "Chef::Config[:ssl_ca_path] defaults to nil" do expect(Chef::Config[:ssl_ca_path]).to be_nil end -- cgit v1.2.1