Closed marjus45 closed 1 month ago
You have to use --ssl-insecure
to skip SSL verification.
Thanks for the answer @oalbrigt , but that doesn't work for me either, because I want to run the command over http
not https
. If you set the --ssl
flag to true, then the code assumes that this is an HTTPS request, which is too restrictive.
Why do you need this parameter to be set to true?
We need it to be true to avoid customers setting up insecure solutions and not being informed about it.
Look for disable_ssl in fence_zvmip for an example for how you can disable it, or you can update the if/else on this line https://github.com/ClusterLabs/fence-agents/pull/583/files#diff-323a7bda23d47d2a6cfc14837ada72209ffe9d2b8a76a26f6da9424e22d8191bR46 if sockets always use http.
I am okay in adding the --disable-ssl
flag as well. The important part is to allow the user to run over HTTP if they want, which now I understand is not supported.
I think it's a bit counter-intuitive though to have a command line argument which doesn't do anything. If --ssl
is always set to true for protecting the customers this is fine, but then only the --disable-ssl
should exist.
That would be ideal, but it's part of the fencing library, and some agents that might still be used but arent provided in commercial distros still have ssl disabled by default, so they need it.
And you can also set ssl=0 when you set it up in Pacemaker via pcs or crmsh, so it's not working when you test it manually.
I understand that the fence_docker agent has set the default value of
--ssl
to true, and there is no way to set it to false via the command line. Is this true?and my attempt to set it to false:
If so, would you be open to set this flag to
false
by default to make optional the TLS verification? Another option is to configure the flag to accept an argument, but this might change the user interface.