When `ssl_certificate_authorities` provided, `ssl_verify_mode => none` is ignored.
yaauie opened this issue · 1 comments
Follow-up to #300, which was closed and defined this as desired behaviour:
The act of setting
certificate_authorities
should be an expression by the user/operator that they want to only accept trusted clients. Maybe we need to improve the wording/docs here?Alternately, why would you set
ssl_verify => none
and also set [ssl_certificate_authorities
] ? Why would you say "Trust the things in [ssl_certificate_authorities
]" but then tell the plugin to ignore trust relationships? What's the use case and intent?
We need to make this experience better for our users.
Option 1:
- Reject
ssl_verify => none
whenssl_certificate_authorities
is provided.
Option 2:
- WARN when encountering
ssl_verify => none
whenssl_certificate_authorities
is provided. - Document that the setting is ignored in some cases (and define which specific cases).
Alternately, why would you set ssl_verify => none and also set [ssl_certificate_authorities] ? Why would you say "Trust the things in [ssl_certificate_authorities]" but then tell the plugin to ignore trust relationships? What's the use case and intent?
I understand the argument, however the issue is that we default the verify mode to "force_peer" in the SslContextBuiilder. This means that ssl_verify => none
with ssl_certificates_authorities will be stricter than setting ssl_verify => peer
.
So I'm +1 on adding a warning for now and then going for Option 1 in a next major.