diff options
| author | Ash McKenzie <amckenzie@gitlab.com> | 2022-01-13 02:13:00 +0000 |
|---|---|---|
| committer | Ash McKenzie <amckenzie@gitlab.com> | 2022-01-13 02:13:00 +0000 |
| commit | da719e7d9abe52e56b3b03ffa34b0ede5090ce99 (patch) | |
| tree | d2ecf7d0eecc4dfea41ca7b1590d2a21db16620f | |
| parent | 4989011bedc7c33aa49cdac3c230ae9fdcdb49fd (diff) | |
| parent | 537f8e192908172863e93a97871409a8f043c292 (diff) | |
| download | gitlab-shell-da719e7d9abe52e56b3b03ffa34b0ede5090ce99.tar.gz | |
Merge branch 'id-deprecate-self-signed-cert' into 'main'
Deprecate self_signed_cert config setting
See merge request gitlab-org/gitlab-shell!552
| -rw-r--r-- | client/httpclient.go | 5 | ||||
| -rw-r--r-- | config.yml.example | 5 |
2 files changed, 9 insertions, 1 deletions
diff --git a/client/httpclient.go b/client/httpclient.go index 7b8a35c..5bbfbce 100644 --- a/client/httpclient.go +++ b/client/httpclient.go @@ -162,7 +162,10 @@ func buildHttpsTransport(hcc httpClientCfg, selfSignedCert bool, gitlabURL strin } } tlsConfig := &tls.Config{ - RootCAs: certPool, + RootCAs: certPool, + // The self_signed_cert config setting is deprecated + // The field and its usage is going to be removed in + // https://gitlab.com/gitlab-org/gitlab-shell/-/issues/541 InsecureSkipVerify: selfSignedCert, MinVersion: tls.VersionTLS12, } diff --git a/config.yml.example b/config.yml.example index 5662d2e..4db258b 100644 --- a/config.yml.example +++ b/config.yml.example @@ -26,6 +26,11 @@ http_settings: # password: somepass # ca_file: /etc/ssl/cert.pem # ca_path: /etc/pki/tls/certs +# +# The self_signed_cert option is deprecated +# When it's set to true, any certificate is accepted, which may make machine-in-the-middle attack possible +# Certificates specified in ca_file and ca_path are trusted anyway even if they are self-signed +# Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/120 self_signed_cert: false # File used as authorized_keys for gitlab user |