-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the ssl_verification
field from the Webhook model
#15387
Comments
While I absolutely agree that SSL verification should be the default and enabled whenever possible, I am pretty sure that removing the option to disable SSL verification will cause a lot of problems in many environments. Many of my customers, especially the smaller ones with understaffed IT departments, use their internal CAs or even self-signed certificates for internal systems (which in my experience are the majority of target servers for Webhooks), and don't have a sensible way of distributing their CAs root certificates to all systems. While that's certainly not optimal, it's unfortunately the status quo. The fact that it's not exactly straightforward to add your own CA for systems using Removing the option of disabling SSL verification will break Webhooks in these cases, and the quick and dirty solution to this is to disable TLS altogether and communicate in clear text, which is much worse than unvalidated TLS. My two cents: Display a visible warning when |
The webhook model also provides a mechanism for indicating the path to a specific CA file via its |
I would agree that it should be a configurable setting, default can be false. |
I always laugh at my teammates who ignore SSL in all their scripts because it's too hard ;) |
If someone gets in a situation where a cert has expired (or is using a self-signed cert) on a remote server if there is no way to bypass this they might instead choose to send in plaintext over HTTP. which would be worse than sending traffic to a https endpoint with an expired or self-signed cert. |
Proposed Changes
Remove the
ssl_verification
field from the Webhook model. If enabled, this bypasses validation of the SSL certificate on the remote server.Justification
Disabling certificate validation presents a legitimate security concern, as it exposes outgoing webhooks to interception by a third party.
Impact
NetBox will need to be able to validate the SSL certificate of any HTTPS-enabled remote receivers.
The text was updated successfully, but these errors were encountered: