Bug #18936: Download of OS specific kernel and initrd files should verify certificates - Smart Proxy - Foreman

Actions

Bug #18936

closed

Download of OS specific kernel and initrd files should verify certificates

Added by Dominic Schlegel over 7 years ago. Updated over 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

TFTP

Target version:

-

Difficulty:

trivial

Triaged:

Yes

Bugzilla link:

Pull request:

https://github.com/theforeman/smart-proxy/pull/792

Fixed in Releases:

Foreman - 3.0.0

Found in Releases:

Red Hat JIRA:

Description

The documentation https://theforeman.org/manuals/1.14/index.html#4.3.9TFTP mentions that the Download of OS specific kernel and initrd files does not verify certificates. In particular step 5 of the work flow mentions the exact wget command:

wget --no-check-certificate -nv -c <src> -O "<destination>"

I can not imagine any reason why the option --no-check-certificate should be used. Therefore I suggest to remove it.
If there is a use case which is valid I suggest that the GUI offers a checkbox in the installation Media detail page that turns on/off the certificate check.

Actions

#1

Updated by Dominic Cleal over 7 years ago

Project changed from Foreman to Smart Proxy
Category set to TFTP

Actions

#2

Updated by Lukas Zapletal over 3 years ago

Difficulty set to trivial
Triaged changed from No to Yes

Actions

#3

Updated by Lukas Zapletal over 3 years ago

Let's add a new tftp.yaml setting named "verify_server_cert", when true the "--no-check-certificate" argument will be used.

Actions

#4

Updated by Lukas Zapletal over 3 years ago

Interesting file to start with:

https://github.com/theforeman/smart-proxy/blob/fdeef1dc6febcfae22c8d3273cb18d6bdeb31a23/config/settings.d/tftp.yml.example
https://github.com/theforeman/smart-proxy/blob/fdeef1dc6febcfae22c8d3273cb18d6bdeb31a23/modules/tftp/tftp_plugin.rb
https://github.com/theforeman/smart-proxy/blob/fdeef1dc6febcfae22c8d3273cb18d6bdeb31a23/modules/tftp/tftp_api.rb
https://github.com/theforeman/smart-proxy/blob/fdeef1dc6febcfae22c8d3273cb18d6bdeb31a23/modules/tftp/tftp_api.rb#L72

Actions

#5

Updated by Dominic Schlegel over 3 years ago

Lukas Zapletal wrote:

Let's add a new tftp.yaml setting named "verify_server_cert", when true the "--no-check-certificate" argument will be used.

That naming is confusing me. Shouldn't it be when "verify_server_cert" is set to false that the "--no-check-certificate" should be added?

Actions

#6

Updated by Lukas Zapletal over 3 years ago

Correct, typing on a call is hard :-)

Actions

#7

Updated by The Foreman Bot over 3 years ago

Status changed from New to Ready For Testing
Pull request https://github.com/theforeman/smart-proxy/pull/792 added

Actions

#8

Updated by Anna Vítová over 3 years ago

Assignee set to Anna Vítová

Actions

#9

Updated by The Foreman Bot over 3 years ago

Fixed in Releases 3.0.0 added

Actions

#10

Updated by Anonymous over 3 years ago

Status changed from Ready For Testing to Closed

Applied in changeset 040da586908d48d193838fff703d77dab98fa3b2.

Actions

Also available in: Atom PDF