URL: https://github.com/freeipa/freeipa/pull/506
Title: #506: added ssl verification
tiran commented:
"""
LGTM, but I want @simo5 to give the final ACK.
Since Custodia is only used during replica installation on an enrolled system,
ipa-client-install has already provided the certificate. I don
URL: https://github.com/freeipa/freeipa/pull/506
Title: #506: added ssl verification
tscherf commented:
"""
Sorry, closed this by mistake.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/506#issuecomment-282263664
--
Manage your subscription for the Freeipa-devel mailing l
URL: https://github.com/freeipa/freeipa/pull/506
Title: #506: added ssl verification
tscherf commented:
"""
When the system wide trust store is supposed to be used here, then something
else must be broken somewhere in the verification code. Without explicitly
using the IPA trust anchor stored
URL: https://github.com/freeipa/freeipa/pull/506
Title: #506: added ssl verification
tiran commented:
"""
Please change the title of the commit, too. It's implies that we did not verify
certs in the past.
In the future please don't call the system trust store a random collection of
CAs. It's
URL: https://github.com/freeipa/freeipa/pull/506
Title: #506: added ssl verification
HonzaCholasta commented:
"""
We don't want to trust certificates issued by random internet CAs, this is how
it should have been from the beginning. A commit message would be nice though.
@tscherf, please add t
URL: https://github.com/freeipa/freeipa/pull/506
Title: #506: added ssl verification
tiran commented:
"""
Why do you propose to change the settings? By default python-requests enforces
certificate validation. Without additional settings, it uses the system trust
store. The IPA root CA is injec