-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add global option to disable TLS validation #755
Comments
Hi @ccwienk, @fabianburth last week added the ability to use http registries: #676. It's not an explicit option, but implicitly set by using http as scheme instead of https (which is also the default when omitting the scheme). The latest version https://github.com/open-component-model/ocm/releases/tag/v0.9.0 contains this functionality. I didn't find this enhancement in the documentation, though. @fabianburth, is this part maybe still pending or was I just not able to find it? :-) |
@morri-son : I cannot quite understand how that relates to my issue. |
dev-note: during implementation, we should also unify the usage of http-client and its settings by creating a dedicated factory |
bump. any news? |
@ccwienk , we checked and discussed the issue already and it is also placed in the "next-up" column: https://github.com/orgs/open-component-model/projects/10. For this sprint we have nearly zero capacity, as several colleagues are on vacation and Fabian acts as mentor for new colleagues. I assume that we can pick the issue up in the sprint starting 17th July. |
@morri-son : bump - any updates w.r.t. timeline? |
@ccwienk we have our refinement tomorrow and my plan is still to pick the issue for the next sprint starting next week. Stress is on "plan" :-) |
What would you like to be added
Add a (global) flag to disable TLS validation for OCM-CLI's commands. Inspired by
curl
, the flag might be named--insecure
, but any name will do.Why is this needed
For development purposes, there may be cases where no valid certificate is available in a testing environment (e.g. if using a self-signed certificate). Having the option to disable TLS validation will be handy in such cases.
One might also consider productive scenarios, where, through a misconfiguration, TLS validation fails, and OCM-CLI is needed to perform urgent tasks that would otherwise be blocked by TLS validation issues.
Admittedly, those are exceptional and corner-cases. However, most other tooling supports explicit disabling of TLS validation, including e.g. package-managers (apt, apk, pacman), HTTP-APIs for all programming languages, HTTP-tools, such as
curl
orwget
, ... - even security-aware tools such asssh
offer disabling of checks / unsafe mode of operation.The text was updated successfully, but these errors were encountered: