Bug #5903
closedrudder-metrics-reporting is relying on local CA bundles to validate https
Description
We do not have any control over what CA's are registered in people machines, and often those CA bundle fail to validate our certificate for feedback.rudder-project.org
We should either disable validation using -k or provide our own CA bundles to validate the connection.
What do you think ?
Updated by Jonathan CLARKE almost 10 years ago
Since the data sent is anonymous, why use https at all? I think a http connection would be just fine.
I'm against using -K because this disables certificate checking and can give a false illusion of security.
Updated by François ARMAND almost 10 years ago
The data is anonymised, but at the moment of the send, someone can intercept the connection (typical man in the middle attack, for ex. with dns poisoning on the url for feedback) and then know who sent the information and learn things that should not be public about the internal infra of the user.
So I think we should encrypt the connection.
Updated by Jonathan CLARKE almost 10 years ago
- Status changed from Discussion to 8
OK. Then let's provide the necessary CA bundles.
Updated by Benoît PECCATTE almost 10 years ago
- Status changed from 8 to Pending technical review
- Assignee changed from Benoît PECCATTE to Matthieu CERDA
- Pull Request set to https://github.com/Normation/rudder-packages/pull/566
Updated by Benoît PECCATTE almost 10 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset packages:rudder-packages|commit:4dc4da948d3d73934807d1cc8dcf3f6ee8bf6251.
Updated by Jonathan CLARKE almost 10 years ago
Applied in changeset packages:rudder-packages|commit:a3063126d7742181be176c66e3b7e2b32f8e9f59.
Updated by Vincent MEMBRÉ almost 10 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 3.0.0~beta2, which were these days.
- Announcement 3.0
- Changelog 3.0
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/