ahhh
commented
5 years ago I think we should keep the default of InsecureSkipVerify: true to keep the project easy to use and flexible. I imagine there will be issues raised over the defaults not working in some network settings. Hopefully these values can be changed with the build flags to created hardened agents that will not contact unknown servers. You could then optionally use cert pinning or a challenge and response protocol (set a single secret value with the build flag) to verify the authenticity of the server to the agent, but in most of these scenarios you would need some value built into the agents at compile time. Because the server doesn't generate the agents automatically w/ these values embedded, I think defaulting to a fail open model will be easier on the user base.
Merlin agent uses a TLS configuration setting of
InsecureSkipVerify: truethat will permit communications with a server using an untrusted certificate. Initially this was by design to facilitate ease of use and allow operators the ability to use self-signed certificates.Merlin Agent should be written so that, by default, it won't communicate with hosts using an untrusted certificate. A command line flag and/or build argument should be implemented to downgrade security to allow communications with a host using an untrusted certificate.
Alternatively, have the agent report back the certificate hash it believes it is communicating with and check it against the server's hash, even if using a self-signed certificate. If there is no match drop the communication or hold the agent in a quarantine state and allow the operator to decide how to proceed.