Deprecate self_signed_cert config setting

The option isn't required to accept self-signed certs On the other hand, if the option set to true it makes machine-in-the-middle attack possible Let's clarify it in the code that the option is deprecated

Deprecate self_signed_cert config setting
537f8e19 · Igor Drozdov · 4989011b · 537f8e19 · 537f8e19
Commit 537f8e19 authored 3 years ago by Igor Drozdov
--- a/client/httpclient.go
+++ b/client/httpclient.go
@@ -162,7 +162,10 @@ func buildHttpsTransport(hcc httpClientCfg, selfSignedCert bool, gitlabURL strin
 		}
 	}
 	tlsConfig := &tls.Config{
-		RootCAs:            certPool,
+		RootCAs: certPool,
+		// The self_signed_cert config setting is deprecated
+		// The field and its usage is going to be removed in
+		// https://gitlab.com/gitlab-org/gitlab-shell/-/issues/541
 		InsecureSkipVerify: selfSignedCert,
 		MinVersion:         tls.VersionTLS12,
 	}

--- a/config.yml.example
+++ b/config.yml.example
@@ -26,6 +26,11 @@ http_settings:
 #  password: somepass
 #  ca_file: /etc/ssl/cert.pem
 #  ca_path: /etc/pki/tls/certs
+#
+#  The self_signed_cert option is deprecated
+#  When it's set to true, any certificate is accepted, which may make machine-in-the-middle attack possible
+#  Certificates specified in ca_file and ca_path are trusted anyway even if they are self-signed
+#  Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/120
  self_signed_cert: false

 # File used as authorized_keys for gitlab user