When `ssl_certificate_authorities` provided, `ssl_verify_mode => none` is ignored.

Question

When `ssl_certificate_authorities` provided, `ssl_verify_mode => none` is ignored.

yaauie opened this issue 4 years ago · 1 comments

Follow-up to #300, which was closed and defined this as desired behaviour:

The act of setting certificate_authorities should be an expression by the user/operator that they want to only accept trusted clients. Maybe we need to improve the wording/docs here?

Alternately, why would you set ssl_verify => none and also set [ssl_certificate_authorities] ? Why would you say "Trust the things in [ssl_certificate_authorities]" but then tell the plugin to ignore trust relationships? What's the use case and intent?

-- #300 (comment)

We need to make this experience better for our users.

Option 1:

Reject ssl_verify => none when ssl_certificate_authorities is provided.

Option 2:

WARN when encountering ssl_verify => none when ssl_certificate_authorities is provided.
Document that the setting is ignored in some cases (and define which specific cases).

Answer 1 · 2020-10-30T10:37:46.000Z

Alternately, why would you set ssl_verify => none and also set [ssl_certificate_authorities] ? Why would you say "Trust the things in [ssl_certificate_authorities]" but then tell the plugin to ignore trust relationships? What's the use case and intent?

I understand the argument, however the issue is that we default the verify mode to "force_peer" in the SslContextBuiilder. This means that ssl_verify => none with ssl_certificates_authorities will be stricter than setting ssl_verify => peer.

So I'm +1 on adding a warning for now and then going for Option 1 in a next major.