Merge branch 'id-deprecate-self-signed-cert' into 'main'

Deprecate self_signed_cert config setting See merge request gitlab-org/gitlab-shell!552

Merge branch 'id-deprecate-self-signed-cert' into 'main'
da719e7d · Ash McKenzie · 4989011b · 537f8e19 · da719e7d · da719e7d
Commit da719e7d authored 3 years ago by Ash McKenzie
--- a/client/httpclient.go
+++ b/client/httpclient.go
@@ -162,7 +162,10 @@ func buildHttpsTransport(hcc httpClientCfg, selfSignedCert bool, gitlabURL strin
 		}
 	}
 	tlsConfig := &tls.Config{
-		RootCAs:            certPool,
+		RootCAs: certPool,
+		// The self_signed_cert config setting is deprecated
+		// The field and its usage is going to be removed in
+		// https://gitlab.com/gitlab-org/gitlab-shell/-/issues/541
 		InsecureSkipVerify: selfSignedCert,
 		MinVersion:         tls.VersionTLS12,
 	}

--- a/config.yml.example
+++ b/config.yml.example
@@ -26,6 +26,11 @@ http_settings:
 #  password: somepass
 #  ca_file: /etc/ssl/cert.pem
 #  ca_path: /etc/pki/tls/certs
+#
+#  The self_signed_cert option is deprecated
+#  When it's set to true, any certificate is accepted, which may make machine-in-the-middle attack possible
+#  Certificates specified in ca_file and ca_path are trusted anyway even if they are self-signed
+#  Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/120
  self_signed_cert: false

 # File used as authorized_keys for gitlab user