New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixes #250 and provides the option to set ssl_peer_verify to false #251
Conversation
👎 These options are a scourge and too much of a footgun IMO. |
👍 but could we change the parameter name so it's extremely clear what it's for? It feels too generic now which may confuse users. How about |
@adamleff in a slack conversation we have been discussing the merits of other routs tro achieve the same end but without flipping the power button on security. The thinking is that if we can provide guidance to users on how to manage their cacert.pem store with the fake root cert used in an environment as described in #250, thats a more "legit" approach. I want to keep this open while we explore that. Question is can users actually make it work in possibly sophisticated proxied environments where they may need to feed a chain of certs to the openssl cert file. A carte-blanche verify_none may be the lesser evil in some dev/test environments. |
If we do add something like this as an escape hatch, I would make the name something that makes it clear this is security risk. "disable TLS verification" sounds bad, but like "click through a Windows warning I've been desensitized to" bad :-/ Maybe just have a boolean for |
Yeah, I'm not crazy about having an option like this either, but we do have users where this may be the right solution. We could also look at doing something like Proxies gonna prox. A "quick fix" here is to just make this change but also print out a HUGE warning each time kitchen is run explaining what's happening and encouraging them to visit a URL to a doc that explains how to fix this while still maintaining TLS verification. |
If we can get this rebased and an appropriate warning and option name selected this still seems like a good thing. |
Can we get a rebase? are we still 👍 on this? |
rebased. I'm still +1. |
@mwrock merged some other PRs and now we need a rebase here - will get this as soon as you land one |
The oddest thing is that now it says the merge has no conflicts which may be due to my merge/revert so I guess we don't need a rebase after all. |
No description provided.