Added graceful downgrade from TLS security enabled to disabled if a TLS CLIENT_KEY is not provided #11

adriansuarez · 2020-11-03T02:37:50Z

No description provided.

mkysel · 2020-11-03T03:35:39Z

nuocd/nuodb_adminquery.py

+        # this assumes set to a path. It could be set to True in which case we need
+        # to return the default path
+
+        server_cert = env.get('NUOCMD_VERIFY_SERVER', os.environ.get('NUOCMD_VERIFY_SERVER', False))


server_cert can also be missing. In 4.2 we no longer ship either the server cert or the client cert.

A missing server_cert file is "OK" in python?

I don't think we should downgrade if the client key exists. If someone went through the trouble to create nuocmd.pem, but they forgot to create or misplaced (e.g. they called it /etc/nuodb/keys/ca.crt instead of /etc/nuodb/keys/ca.cert) the server certificate, then they would probably be expecting HTTPS to be used.

I'm also being more defensive about downgrading here because I can't tell if the argument was resolved from an environment variable or an explicit argument, (nuocmd only downgrades when the explicit arguments are not specified).

sivanov-nuodb

I also think that we should check server_cert file existence. Otherwise the changes look good to me.

sivanov-nuodb

I guess that the verify certificate file is not used even if provided in case the protocol is downgraded.

Downgrade to http:// if key does not exist

26b1d3d

adriansuarez requested review from mkysel, butson and sivanov-nuodb November 3, 2020 02:37

Fix protocol handling

0095ea7

mkysel reviewed Nov 3, 2020

View reviewed changes

sivanov-nuodb reviewed Nov 3, 2020

View reviewed changes

sivanov-nuodb approved these changes Nov 3, 2020

View reviewed changes

adriansuarez merged commit 4225094 into master Nov 3, 2020

adriansuarez deleted the asuarez/http-downgrade branch November 3, 2020 17:58

mkysel changed the title ~~Downgrade to http:// if key does not exist~~ Added graceful downgrade to API_SERVER http:// if CLIENT_KEY does not exist Nov 4, 2020

mkysel changed the title ~~Added graceful downgrade to API_SERVER http:// if CLIENT_KEY does not exist~~ Added graceful downgrade for API_SERVER to http:// if CLIENT_KEY does not exist Nov 4, 2020

mkysel added the enhancement New feature or request label Nov 4, 2020

jleslie85 changed the title ~~Added graceful downgrade for API_SERVER to http:// if CLIENT_KEY does not exist~~ Added graceful downgrade from TLS security enabled to disabled if a TLS CLIENT_KEY is not provided Nov 5, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added graceful downgrade from TLS security enabled to disabled if a TLS CLIENT_KEY is not provided #11

Added graceful downgrade from TLS security enabled to disabled if a TLS CLIENT_KEY is not provided #11

adriansuarez commented Nov 3, 2020

mkysel Nov 3, 2020

adriansuarez Nov 3, 2020 •

edited

Loading

sivanov-nuodb left a comment

sivanov-nuodb left a comment

Added graceful downgrade from TLS security enabled to disabled if a TLS CLIENT_KEY is not provided #11

Added graceful downgrade from TLS security enabled to disabled if a TLS CLIENT_KEY is not provided #11

Conversation

adriansuarez commented Nov 3, 2020

mkysel Nov 3, 2020

Choose a reason for hiding this comment

adriansuarez Nov 3, 2020 • edited Loading

Choose a reason for hiding this comment

sivanov-nuodb left a comment

Choose a reason for hiding this comment

sivanov-nuodb left a comment

Choose a reason for hiding this comment

adriansuarez Nov 3, 2020 •

edited

Loading