Bug #5903
closed
rudder-metrics-reporting is relying on local CA bundles to validate https
Added by Matthieu CERDA almost 10 years ago.
Updated almost 10 years ago.
Category:
System integration
Description
We do not have any control over what CA's are registered in people machines, and often those CA bundle fail to validate our certificate for feedback.rudder-project.org
We should either disable validation using -k or provide our own CA bundles to validate the connection.
What do you think ?
Since the data sent is anonymous, why use https at all? I think a http connection would be just fine.
I'm against using -K because this disables certificate checking and can give a false illusion of security.
The data is anonymised, but at the moment of the send, someone can intercept the connection (typical man in the middle attack, for ex. with dns poisoning on the url for feedback) and then know who sent the information and learn things that should not be public about the internal infra of the user.
So I think we should encrypt the connection.
- Status changed from Discussion to 8
OK. Then let's provide the necessary CA bundles.
- Status changed from 8 to Pending technical review
- Assignee changed from Benoît PECCATTE to Matthieu CERDA
- Pull Request set to https://github.com/Normation/rudder-packages/pull/566
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset packages:rudder-packages|commit:4dc4da948d3d73934807d1cc8dcf3f6ee8bf6251.
Applied in changeset packages:rudder-packages|commit:a3063126d7742181be176c66e3b7e2b32f8e9f59.
- Status changed from Pending release to Released
This bug has been fixed in Rudder 3.0.0~beta2, which were these days.
Also available in: Atom
PDF
Updated by Jonathan CLARKE 
Updated by 
Updated by 
Updated by