Merge branch 'id-deprecate-self-signed-cert' into 'main'

ashmckenzie · ashmckenzie · commit da719e7d9abe · 2022-01-13T02:13:00.000Z
Deprecate self_signed_cert config setting

See merge request gitlab-org/gitlab-shell!552
diff --git a/client/httpclient.go b/client/httpclient.go
@@ -162,7 +162,10 @@ func buildHttpsTransport(hcc httpClientCfg, selfSignedCert bool, gitlabURL strin
 		}
 	}
 	tlsConfig := &tls.Config{
-		RootCAs:            certPool,
+		RootCAs: certPool,
+		// The self_signed_cert config setting is deprecated
+		// The field and its usage is going to be removed in
+		// https://gitlab.com/gitlab-org/gitlab-shell/-/issues/541
 		InsecureSkipVerify: selfSignedCert,
 		MinVersion:         tls.VersionTLS12,
 	}
diff --git a/config.yml.example b/config.yml.example
@@ -26,6 +26,11 @@ http_settings:
 #  password: somepass
 #  ca_file: /etc/ssl/cert.pem
 #  ca_path: /etc/pki/tls/certs
+#
+#  The self_signed_cert option is deprecated
+#  When it's set to true, any certificate is accepted, which may make machine-in-the-middle attack possible
+#  Certificates specified in ca_file and ca_path are trusted anyway even if they are self-signed
+#  Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/120
   self_signed_cert: false
 
 # File used as authorized_keys for gitlab user

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,10 @@ func buildHttpsTransport(hcc httpClientCfg, selfSignedCert bool, gitlabURL strin`
`162`	`162`	`}`
`163`	`163`	`}`
`164`	`164`	`tlsConfig := &tls.Config{`
`165`		`- RootCAs: certPool,`
	`165`	`+ RootCAs: certPool,`
	`166`	`+ // The self_signed_cert config setting is deprecated`
	`167`	`+ // The field and its usage is going to be removed in`
	`168`	`+ // https://gitlab.com/gitlab-org/gitlab-shell/-/issues/541`
`166`	`169`	`InsecureSkipVerify: selfSignedCert,`
`167`	`170`	`MinVersion: tls.VersionTLS12,`
`168`	`171`	`}`