Validate component certs by default #954
Comments
|
We tried to resolve this in #952. However, the CF-D pipeline environments use self-signed certs, which prevented tests from passing. Therefore, created we were forced to revert that PR, and have created this issue to track future work. Tim Downey also noted that many of the present cert validation skips are in place due to a long-standing issue with validating certs for space-scoped service brokers in CC_NG. |
ctlong
moved this from Inbox
to Waiting on feedback
in App Runtime Deployments Working Group
jochenehret
added a commit
that referenced
this issue
Jan 16, 2025
* this environment uses relint_ca as root CA * see also #954
10 tasks
|
Current status: "cedric", "bbr" and "cats" environments still use self-signed load balancer certificates. The other test environments use the relint_ca root certificate and have TLS enabled. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is this issue about?
cf-deployment currently skips verification of certificates for certain inter-component communications by default, with an ops file to stop skipping certificate validation.
We would expect the reverse, that cf-deployment be the most secure by default, with an ops file to make it insecure as desired.
What version of cf-deployment are you using?
cf-deployment v17.1.0
Please include the
bosh deploy...command, including all the operations files (plus any experimental operation files you're using):N/A
Please provide output that helps describe the issue:
N/A
What IaaS is this issue occurring on?
N/A
Is there anything else unique or special about your setup?
N/A
Tag your pair, your PM, and/or team!
@mkocher @acrmp
The text was updated successfully, but these errors were encountered: