[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ LGTM, but I want @simo5 to give the final ACK. Since Custodia is only used during replica installation on an enrolled system, ipa-client-install has already provided the certificate. I don't see any issue in the proposed fix. ```ipaserver.secrets.client``` does not yet use Custodia's own client library. I'll keep the problem in mind once we have updated to recent Custodia version. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282272478 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tscherf commented: """ Sorry, closed this by mistake. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282263664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tscherf commented: """ When the system wide trust store is supposed to be used here, then something else must be broken somewhere in the verification code. Without explicitly using the IPA trust anchor stored in IPA_CA_CRT, the installer failed with an "[SSL: CERTIFICATE_VERIFY_FAILED]" error. We have seen this in CA-less and chained CA setups. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282262743 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ Please change the title of the commit, too. It's implies that we did not verify certs in the past. In the future please don't call the system trust store a random collection of CAs. It's diminishing and vilifying the hard work of the security team to provide a secure selection of CA certs. This change is purely an attempt to harden IPA and use the same selection of CAs everywhere. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282259839 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification HonzaCholasta commented: """ We don't want to trust certificates issued by random internet CAs, this is how it should have been from the beginning. A commit message would be nice though. @tscherf, please add this ticket URL to the commit message: https://fedorahosted.org/freeipa/ticket/6686 """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282254224 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] added ssl verification
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ Why do you propose to change the settings? By default python-requests enforces certificate validation. Without additional settings, it uses the system trust store. The IPA root CA is injected into the system trust store. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282253632 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
