allow user to set not to verify SSL certificate on request

[garretraziel]

When user is running OpenQA on localhost, it's common that he has self-signed certificate. This allows user to set not to verify SSL certificate to prevent SSL errors on requests.

[lnussel]

just import the self signed cert into the cert store and it will verify just fine

[garretraziel]

While it's possible, I don't see any harm in adding this option. For example, I rebuild my docker images containing OpenQA from time to time and doing this requires removing old certificate and adding new certificate each time. While it's definitely not suitable in production, it would simplify things during development.

[lnussel]

what's the point of using https then? you can just talk http to openQA

[garretraziel]

And will it work with OpenID login? If yes, then this isn't necessary.

[lnussel]

sure, with this in /etc/openqa/openqa.ini:
[openid]
httpsonly = 0

[AdamWill]

Sure, the client is actually supposed to default to non-encrypted connections for localhost when it's using localhost as the 'default' host:

    # If server not specified, default to the first one in the
    # configuration file. If no configuration file, default to
    # localhost.
    if not server:
        try:
            server = config.sections()[0]
        except (configparser.MissingSectionHeaderError, IndexError):
            # Default to non-TLS for localhost; cert is unlikely to
            # be valid for 'localhost' and there's no MITM...
            scheme = 'http'
            server = 'localhost'

If you're explicitly listing localhost in the config file, just do it like this:

[http://localhost]
key = BLAHBLAH
secret = BLAHBLAH

and it should do what you want. if those don't work as intended, let me know. But as an amateur TLS dork, I'm generally inclined not to offer 'don't verify cert' options, they only get abused.

For the record, putting a self-signed server cert in the OpenSSL trust store is not generally a good idea; certs in the trust store are trusted to act as CAs, so anyone who stole the server cert could use it to MITM you for any other site they wanted, not only to impersonate the particular site you use it as a server cert for. So, I wouldn't recommend doing that.

[lnussel]

Adam Williamson wrote:

and it should do what you want. if those don't work as intended, let
me know. But as an amateur TLS dork, I'm generally inclined not to
offer 'don't verify cert' options, they only get abused.

Exactly.

For the record, putting a self-signed server cert in the OpenSSL trust
store is not generally a good idea; certs in the trust store are
trusted to act as CAs, so anyone who stole the server cert could use
it to MITM you for any other site they wanted, not only to impersonate
the particular site you use it as a server cert for. So, I wouldn't
recommend doing that.

You are right in general of course but for the case where it's one's own
server I'd rather do that than to add no verify options.

[AdamWill]

For the record, at the time this PR was filed there was a bug with the 'use http for localhost' code, it's since been fixed, and localhost connections use http unless explicitly specified otherwise.

I no longer suggest using [http(s)://server] notation in client.conf either, as the openQA code does not handle that notation, though I've left support for it in the Python client since I put it there to start with. The Perl code only handles hostname entries - [server] - so I recommend using those, and finding some other way to change the scheme if necessary. We should probably co-ordinate the format and behaviour a bit better between upstream and the Python client, I'd like to add a section where you can specify the default server and scheme (I used to think the openQA code defaulted to the first entry in client.conf, as my code does, but it doesn't; it blindly defaults to 'localhost' if a server is not specified somehow...for workers you can specify a server in /etc/openqa/workers.ini, but there's no config file way to specify a default server other than localhost for the client app or any other code that uses the perl client code.)