Should suport SSL verification

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 0.8.2
  • Component/s: Chef Client
  • Labels:
    None

Description

We currently support disabling SSL certificate verification, but we don't properly support actually verifiying them. This fixing this issue will require adding a module to Ohai to find where a useful set of root ssl certificate authority data lives, so we can then use it when we call Net::HTTP.

At which point something like:

http.ca_path = /etc/ssl/certs
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5

Should do the trick nicely.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Adam Jacob added a comment -

Setting this to a blocker, as we can't release 0.8.0 without it being fixed.

Show
Adam Jacob added a comment - Setting this to a blocker, as we can't release 0.8.0 without it being fixed.
Hide
Permalink
Tollef Fog Heen added a comment -

Apparently, you want

http.enable_post_connection_check = true

too, to check that the host name actually matches.

Show
Tollef Fog Heen added a comment - Apparently, you want http.enable_post_connection_check = true too, to check that the host name actually matches.
Hide
Permalink
Tollef Fog Heen added a comment -

Also, please make sure you can specify a file with the CA certificate in, not just a directory. Not all of us would like any of the default-installed CAs to be able to spoof our chef server.

Show
Tollef Fog Heen added a comment - Also, please make sure you can specify a file with the CA certificate in, not just a directory. Not all of us would like any of the default-installed CAs to be able to spoof our chef server.
Hide
Permalink
Tollef Fog Heen added a comment -

http://github.com/tfheen/chef/tree/CHEF-491 should fix this.

Show
Tollef Fog Heen added a comment - http://github.com/tfheen/chef/tree/CHEF-491 should fix this.
Hide
Permalink
Adam Jacob added a comment -

You rule, Tollef. This has been merged and pushed to opscode/master.

Show
Adam Jacob added a comment - You rule, Tollef. This has been merged and pushed to opscode/master.

People

  • Assignee:
    Adam Jacob
    Reporter:
    Adam Jacob
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: