ssl_peer_fingerprint_verification for self-signed certs #150
Conversation
| conn_fingerprint = OpenSSL::Digest::SHA1.new( | ||
| resp.peer_cert.to_der).to_s.upcase | ||
| if @ssl_peer_fingerprint != conn_fingerprint | ||
| @logger.fatal("ssl fingerprint mismatch!!!!\n") |
There was a problem hiding this comment.
This verifies connections ongoing. See #151
|
After spending a good chunk of time writing this winrm blog post and most of the time getting some SSL scenarios working, I'm even more of a fan of this idea. For instance, using If we could simply pass a known thumbprint it would be much less friction than throwing self signed certs around and much safer than HTTP or disabled peer verification. One could also submit a small vagrant pr to allow adding HTTPS attributes to a Vagrantfile making vagrant scenarios easier to secure and reducing the need to allow unencrypted basic auth. We do need to add some tests and get the rubocop happy. |
|
@mwrock What about 50 lines of PowerShell that just uses the .NET framework classes to do the work of generating the appropriate self signed cert? Everyone already needs a PS script to enable WinRM anyway. |
|
Yeah powershell works too :) Here is a great powershell function that has more granular control than However, its one more thing to download or pack into your image prep artifacts. This model proposed by @hh is very similar to the way one connects to vSphere using the Fog API. With this, one could reuse the cert that windows creates for remote desktop. Just removes another layer of friction. |
hh
force-pushed
the
ssl_self_signed_verify
branch
from
7859a7c to
33a26d4
Compare
|
@mwrock I cleaned up the rubocop, I'm not yet familiar enough with the testing framework. I'm taking a look now, but any useful/pointed directions would be great. |
hh
changed the title
hh
changed the title
| resp = @httpcli.post(@endpoint, message, hdr) | ||
| log_soap_message(resp.http_body.content) | ||
| verify_ssl_fingerprint(resp.peer_cert) |
There was a problem hiding this comment.
You need a if @ssl_peer_fingerprint here so it is not called for normal requests. Or perhaps even better, return from that method if its nil.
|
Merged in with #170 |
This pull request is mainly to discuss approaches to ssl fingerprint or certificate checking when self-signed cert Common Names do not match the FDQN or IP of the host we are connecting to.