Open hitchhiker opened 1 month ago
seriouz
commented
1 month ago @hitchhiker So far I haven't thought about what exactly happens if Microsoft disables http access completely. If they still check the validity of certificates, we really have to come up with something clever.
hitchhiker
commented
1 month ago Hey @seriouz - they have a flag that they've added to 8.0.400 that will allow us to skip validation, I don't know if that includes HTTP (and can't find information on it yet).
disableTLSCertificateValidation=true
While it would be better for folks in our context to just to use HTTP (as self-hosted, in a private network we have no use for TLS), if the flag doesn't allow that it will at least allow us to use a self-signed / temporary / self-generated cert.
seriouz
commented
1 month ago Thank you for this information.
I think we'll go for: Allowing to add custom certs. And when none is found, a self signed will be used.
Probably we could add a notice to the ui explaining the disableTLSCertificateValidation=true property.
hitchhiker
commented
1 month ago https://github.com/NuGet/docs.microsoft.com-nuget/issues/3295#issuecomment-2125360562
They replied, the flag 'allowInsecureConnections' (available already) suppresses the warnings / errors and allow the process to continue with HTTP. I tried it, and it's working as expected. I am publishing with a local HTTP feed without issue.
Thanks for your time, and this refreshed project!
I have no need for TLS security, but MS is removing HTTP, here's my use case: https://github.com/NuGet/docs.microsoft.com-nuget/issues/3295
Would it be possible to allow Kestral to generate a self-signed certificate, to eliminate the need for extra configuration / maintenance?
An example of that: https://itniels.com/2020/05/19/aspnet-core-starting-kestrel-with-generated-selfsigned-certificate/