Merge branch 'mk-default-ldap-verify-certificates-secure' into 'master'
Default LDAP config verify_certificates to true Closes #33662 See merge request !13915
This commit is contained in:
commit
073f6f0853
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Default LDAP config "verify_certificates" to true for security
|
||||
merge_request: 13915
|
||||
author:
|
||||
type: changed
|
|
@ -273,9 +273,8 @@ production: &base
|
|||
encryption: 'plain'
|
||||
|
||||
# Enables SSL certificate verification if encryption method is
|
||||
# "start_tls" or "simple_tls". (Defaults to false for backward-
|
||||
# compatibility)
|
||||
verify_certificates: false
|
||||
# "start_tls" or "simple_tls". Defaults to true.
|
||||
verify_certificates: true
|
||||
|
||||
# Specifies the path to a file containing a PEM-format CA certificate,
|
||||
# e.g. if you need to use an internal CA.
|
||||
|
|
|
@ -155,18 +155,11 @@ if Settings.ldap['enabled'] || Rails.env.test?
|
|||
server['encryption'] = 'simple_tls' if server['encryption'] == 'ssl'
|
||||
server['encryption'] = 'start_tls' if server['encryption'] == 'tls'
|
||||
|
||||
# Certificates are not verified for backwards compatibility.
|
||||
# This default should be flipped to true in 9.5.
|
||||
if server['verify_certificates'].nil?
|
||||
server['verify_certificates'] = false
|
||||
|
||||
message = <<-MSG.strip_heredoc
|
||||
LDAP SSL certificate verification is disabled for backwards-compatibility.
|
||||
Please add the "verify_certificates" option to gitlab.yml for each LDAP
|
||||
server. Certificate verification will be enabled by default in GitLab 9.5.
|
||||
MSG
|
||||
Rails.logger.warn(message)
|
||||
end
|
||||
# Certificate verification was added in 9.4.2, and defaulted to false for
|
||||
# backwards-compatibility.
|
||||
#
|
||||
# Since GitLab 10.0, verify_certificates defaults to true for security.
|
||||
server['verify_certificates'] = true if server['verify_certificates'].nil?
|
||||
|
||||
Settings.ldap['servers'][key] = server
|
||||
end
|
||||
|
|
|
@ -87,9 +87,12 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
|
|||
encryption: 'plain'
|
||||
|
||||
# Enables SSL certificate verification if encryption method is
|
||||
# "start_tls" or "simple_tls". (Defaults to false for backward-
|
||||
# compatibility)
|
||||
verify_certificates: false
|
||||
# "start_tls" or "simple_tls". Defaults to true since GitLab 10.0 for
|
||||
# security. This may break installations upon upgrade to 10.0, that did
|
||||
# not know their LDAP SSL certificates were not setup properly. For
|
||||
# example, when using self-signed certificates, the ca_file path may
|
||||
# need to be specified.
|
||||
verify_certificates: true
|
||||
|
||||
# Specifies the path to a file containing a PEM-format CA certificate,
|
||||
# e.g. if you need to use an internal CA.
|
||||
|
|
Loading…
Reference in New Issue