Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Config to skip TLS cert verification for etcd #5297

Closed
wants to merge 1 commit into from
Closed

Config to skip TLS cert verification for etcd #5297

wants to merge 1 commit into from

Conversation

gnuoy
Copy link

@gnuoy gnuoy commented Sep 7, 2018

This change adds a new configuration option to the etcd backend
section. tls_insecure_skip_verify allows the user to instruct
vault to skip the verification of the certificates presented by
etcd. Setting tls_insecure_skip_verify to 'true' is a work around
to issue #4961. If a user sets tls_insecure_skip_verify to 'true'
then vault is vunerable to man-in-the-middle attacks when
communicating with etcd.

I am proposing the change as its the work-around I'm currently
using for the bug and I thought it might be useful to others. However,
given the security implications of enabling the option I understand if
you choose not to land it.

Config to skip TLS cert verification for etcd
97bb786 
This change adds a new configuration option to the etcd backend
section. tls_insecure_skip_verify allows the user to instruct
vault to skip the verification of the certificates presented by
etcd. Setting tls_insecure_skip_verify to 'true' is a work around
to issue hashicorp#4961. If a user sets tls_insecure_skip_verify to 'true'
then vault is vunerable to man-in-the-middle attacks when
communicating with etcd.
@hashicorp-cla
Copy link

hashicorp-cla commented Jan 15, 2019
edited
Loading

CLA assistant check
All committers have signed the CLA.

chrishoffman
chrishoffman reviewed May 24, 2019
View reviewed changes
physical/etcd/etcd3.go
return nil, errwrap.Wrapf(fmt.Sprintf("value of 'tls_insecure_skip_verify' (%v) could not be understood: {{err}}", sskip), err)
}
tls.InsecureSkipVerify = skip
} else {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to default to false and you don't need to set it explicitly.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to default to false and you don't need to set it explicitly.

Is it still true?

@chrishoffman
Copy link
Contributor

Closing due to inactivity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xtrusia xtrusia xtrusia left review comments

@chrishoffman chrishoffman chrishoffman left review comments

Assignees
No one assigned
Labels
ecosystem
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gnuoy @hashicorp-cla @chrishoffman @xtrusia @malnick