Project

General

Profile

Actions

Bug #5903

closed

rudder-metrics-reporting is relying on local CA bundles to validate https

Added by Matthieu CERDA over 6 years ago. Updated over 6 years ago.

Status:
Released
Priority:
1
Assignee:
Matthieu CERDA
Category:
System integration
Target version:
Severity:
User visibility:
Effort required:
Priority:

Description

We do not have any control over what CA's are registered in people machines, and often those CA bundle fail to validate our certificate for feedback.rudder-project.org

We should either disable validation using -k or provide our own CA bundles to validate the connection.

What do you think ?

Actions #1

Updated by Jonathan CLARKE over 6 years ago

Since the data sent is anonymous, why use https at all? I think a http connection would be just fine.

I'm against using -K because this disables certificate checking and can give a false illusion of security.

Actions #2

Updated by François ARMAND over 6 years ago

The data is anonymised, but at the moment of the send, someone can intercept the connection (typical man in the middle attack, for ex. with dns poisoning on the url for feedback) and then know who sent the information and learn things that should not be public about the internal infra of the user.

So I think we should encrypt the connection.

Actions #3

Updated by Jonathan CLARKE over 6 years ago

  • Status changed from Discussion to 8

OK. Then let's provide the necessary CA bundles.

Actions #4

Updated by Benoît PECCATTE over 6 years ago

  • Status changed from 8 to Pending technical review
  • Assignee changed from Benoît PECCATTE to Matthieu CERDA
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/566
Actions #5

Updated by Benoît PECCATTE over 6 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100

Applied in changeset packages:rudder-packages|commit:4dc4da948d3d73934807d1cc8dcf3f6ee8bf6251.

Actions #6

Updated by Jonathan CLARKE over 6 years ago

Applied in changeset packages:rudder-packages|commit:a3063126d7742181be176c66e3b7e2b32f8e9f59.

Actions #7

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.0.0~beta2, which were these days.

Actions

Also available in: Atom PDF