-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fedora kickstart script downloads CA cert bundle over HTTP #318
Comments
Indeed. It's probably just copypasta legacy from a CentOS 5 definition so that the I'm happy to take a PR to remove this, as long as that |
This was referenced Feb 24, 2015
jtimberman
pushed a commit
that referenced
this issue
Feb 24, 2015
This addresses both concerns of #318 and #325. We were downloading the SSL CA bundle over http because at the point in time when we wanted to even do that we might not have been in a state where the SSL certificates from curl.haxx.se could be verified. Using http is just as good at that point as using SSL without verification. However... This addresses the concern raised in #325, whereby the upstream cacert.pem removed certificates used by services such as AWS S3, causing SSL connections to those sites to fail to verify. We should rely on the ca-bundle.crt that comes with the openssl package on the platforms in question (centos/fedora).
legal90
added a commit
to legal90/bento
that referenced
this issue
Nov 24, 2015
* commit '8f09552fff04535f8f57e3ab423d45784fad1313': Fixes chef#325, chef#318 - don't download cacert.pem change mirror to http.debian.net, fixes chef#322 Fix minor typo in vm_name. update to debian 7.8 Added links to Fedora 21 boxes Update to Ubuntu 14.04.1. Fixes chef#290 Change company domain name to chef.io Update travis.yml for opscode to chef org rename Added Fedora 21 VB base boxes to README Remove EOL Fedora 19 content Fedora 19 is EOL as of January 6, 2015. https://lists.fedoraproject.org/pipermail/announce/2015-January/003248.html Make script zypper-locks.sh workable Conflicts: packer/debian-7.8-amd64.json packer/debian-7.8-i386.json
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The kickstart scripts for Fedora (at least) download a new CA certificate bundle over unsecured HTTP from curl.haxx.se.
It seems to me that this should be done in some more secure fashion, if it is needed at all. Why does the CA cert bundle need to be updated, rather than using the one shipped by Fedora?
I have not reviewed the other build definitions to see if they also do this.
The text was updated successfully, but these errors were encountered: