From dd3e7ff036401b4c3b754a24bfdf9248ae8a8fe5 Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Tue, 29 Aug 2017 16:47:43 -0700 Subject: [PATCH 1/2] Default LDAP config verify_certificates to true --- config/gitlab.yml.example | 5 ++--- config/initializers/1_settings.rb | 17 +++++------------ doc/administration/auth/ldap.md | 9 ++++++--- 3 files changed, 13 insertions(+), 18 deletions(-) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 25285525846..545c01e1156 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -273,9 +273,8 @@ production: &base encryption: 'plain' # Enables SSL certificate verification if encryption method is - # "start_tls" or "simple_tls". (Defaults to false for backward- - # compatibility) - verify_certificates: false + # "start_tls" or "simple_tls". Defaults to true. + verify_certificates: true # Specifies the path to a file containing a PEM-format CA certificate, # e.g. if you need to use an internal CA. diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index abaabad5d65..360b72cdea3 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -155,18 +155,11 @@ if Settings.ldap['enabled'] || Rails.env.test? server['encryption'] = 'simple_tls' if server['encryption'] == 'ssl' server['encryption'] = 'start_tls' if server['encryption'] == 'tls' - # Certificates are not verified for backwards compatibility. - # This default should be flipped to true in 9.5. - if server['verify_certificates'].nil? - server['verify_certificates'] = false - - message = <<-MSG.strip_heredoc - LDAP SSL certificate verification is disabled for backwards-compatibility. - Please add the "verify_certificates" option to gitlab.yml for each LDAP - server. Certificate verification will be enabled by default in GitLab 9.5. - MSG - Rails.logger.warn(message) - end + # Certificate verification was added in 9.4.2, and defaulted to false for + # backwards-compatibility. + # + # Since GitLab 10.0, verify_certificates defaults to true for security. + server['verify_certificates'] = true if server['verify_certificates'].nil? Settings.ldap['servers'][key] = server end diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md index 425c924cdf2..d22815dfa5e 100644 --- a/doc/administration/auth/ldap.md +++ b/doc/administration/auth/ldap.md @@ -87,9 +87,12 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server encryption: 'plain' # Enables SSL certificate verification if encryption method is - # "start_tls" or "simple_tls". (Defaults to false for backward- - # compatibility) - verify_certificates: false + # "start_tls" or "simple_tls". Defaults to true since GitLab 10.0 for + # security. This may break installations upon upgrade to 10.0, that did + # not know their LDAP SSL certificates were not setup properly. For + # example, when using self-signed certificates, the ca_file path may + # need to be specified. + verify_certificates: true # Specifies the path to a file containing a PEM-format CA certificate, # e.g. if you need to use an internal CA. From da6fede910f3812a8423ad4679839b6d680f9e73 Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Tue, 29 Aug 2017 17:15:56 -0700 Subject: [PATCH 2/2] Add changelog entry for flipping verify_certificates --- .../mk-default-ldap-verify-certificates-secure.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/mk-default-ldap-verify-certificates-secure.yml diff --git a/changelogs/unreleased/mk-default-ldap-verify-certificates-secure.yml b/changelogs/unreleased/mk-default-ldap-verify-certificates-secure.yml new file mode 100644 index 00000000000..865b57fb284 --- /dev/null +++ b/changelogs/unreleased/mk-default-ldap-verify-certificates-secure.yml @@ -0,0 +1,5 @@ +--- +title: Default LDAP config "verify_certificates" to true for security +merge_request: 13915 +author: +type: changed