oc_config_validate <=2.2.0 trusts Target self-signed certs by default

Question

oc_config_validate <=2.2.0 trusts Target self-signed certs by default

JoseIgnacioTamayo opened this issue 2 years ago · 0 comments

In oc_config_validate <=2.2.0, when no Root CA TLS Chain file is defined (either in the YAML file or as command arguments):

oc_config_validate fetches the TLS Certificate of the Target and uses is it as Root CA Cert to validate the Target's TLS.

This effectively makes oc_config_validate trust any Self-Signed Target certificate. When the Target presents a valid non-self-signed cert, oc_config_validate will fail the TLS verification.

Instead, there should be an explicit option to fetch and trust the Target's TLS cert.