Bug #18936
closedDownload of OS specific kernel and initrd files should verify certificates
Description
The documentation https://theforeman.org/manuals/1.14/index.html#4.3.9TFTP mentions that the Download of OS specific kernel and initrd files does not verify certificates. In particular step 5 of the work flow mentions the exact wget command:
wget --no-check-certificate -nv -c <src> -O "<destination>"
I can not imagine any reason why the option
--no-check-certificate
should be used. Therefore I suggest to remove it.If there is a use case which is valid I suggest that the GUI offers a checkbox in the installation Media detail page that turns on/off the certificate check.
Updated by Dominic Cleal over 7 years ago
- Project changed from Foreman to Smart Proxy
- Category set to TFTP
Updated by Lukas Zapletal over 3 years ago
- Difficulty set to trivial
- Triaged changed from No to Yes
Updated by Lukas Zapletal over 3 years ago
Let's add a new tftp.yaml setting named "verify_server_cert", when true the "--no-check-certificate" argument will be used.
Updated by Lukas Zapletal over 3 years ago
Interesting file to start with:
https://github.com/theforeman/smart-proxy/blob/fdeef1dc6febcfae22c8d3273cb18d6bdeb31a23/config/settings.d/tftp.yml.example
https://github.com/theforeman/smart-proxy/blob/fdeef1dc6febcfae22c8d3273cb18d6bdeb31a23/modules/tftp/tftp_plugin.rb
https://github.com/theforeman/smart-proxy/blob/fdeef1dc6febcfae22c8d3273cb18d6bdeb31a23/modules/tftp/tftp_api.rb
https://github.com/theforeman/smart-proxy/blob/fdeef1dc6febcfae22c8d3273cb18d6bdeb31a23/modules/tftp/tftp_api.rb#L72
Updated by Dominic Schlegel over 3 years ago
Lukas Zapletal wrote:
Let's add a new tftp.yaml setting named "verify_server_cert", when true the "--no-check-certificate" argument will be used.
That naming is confusing me. Shouldn't it be when "verify_server_cert" is set to false that the "--no-check-certificate" should be added?
Updated by Lukas Zapletal over 3 years ago
Correct, typing on a call is hard :-)
Updated by The Foreman Bot about 3 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/792 added
Updated by Anonymous about 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset 040da586908d48d193838fff703d77dab98fa3b2.