Default LDAP config verify_certificates to true

This commit is contained in:
Michael Kozono 2017-08-29 16:47:43 -07:00
parent cbaa015cc9
commit dd3e7ff036
3 changed files with 13 additions and 18 deletions

View file

@ -273,9 +273,8 @@ production: &base
encryption: 'plain' encryption: 'plain'
# Enables SSL certificate verification if encryption method is # Enables SSL certificate verification if encryption method is
# "start_tls" or "simple_tls". (Defaults to false for backward- # "start_tls" or "simple_tls". Defaults to true.
# compatibility) verify_certificates: true
verify_certificates: false
# Specifies the path to a file containing a PEM-format CA certificate, # Specifies the path to a file containing a PEM-format CA certificate,
# e.g. if you need to use an internal CA. # e.g. if you need to use an internal CA.

View file

@ -155,18 +155,11 @@ if Settings.ldap['enabled'] || Rails.env.test?
server['encryption'] = 'simple_tls' if server['encryption'] == 'ssl' server['encryption'] = 'simple_tls' if server['encryption'] == 'ssl'
server['encryption'] = 'start_tls' if server['encryption'] == 'tls' server['encryption'] = 'start_tls' if server['encryption'] == 'tls'
# Certificates are not verified for backwards compatibility. # Certificate verification was added in 9.4.2, and defaulted to false for
# This default should be flipped to true in 9.5. # backwards-compatibility.
if server['verify_certificates'].nil? #
server['verify_certificates'] = false # Since GitLab 10.0, verify_certificates defaults to true for security.
server['verify_certificates'] = true if server['verify_certificates'].nil?
message = <<-MSG.strip_heredoc
LDAP SSL certificate verification is disabled for backwards-compatibility.
Please add the "verify_certificates" option to gitlab.yml for each LDAP
server. Certificate verification will be enabled by default in GitLab 9.5.
MSG
Rails.logger.warn(message)
end
Settings.ldap['servers'][key] = server Settings.ldap['servers'][key] = server
end end

View file

@ -87,9 +87,12 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
encryption: 'plain' encryption: 'plain'
# Enables SSL certificate verification if encryption method is # Enables SSL certificate verification if encryption method is
# "start_tls" or "simple_tls". (Defaults to false for backward- # "start_tls" or "simple_tls". Defaults to true since GitLab 10.0 for
# compatibility) # security. This may break installations upon upgrade to 10.0, that did
verify_certificates: false # not know their LDAP SSL certificates were not setup properly. For
# example, when using self-signed certificates, the ca_file path may
# need to be specified.
verify_certificates: true
# Specifies the path to a file containing a PEM-format CA certificate, # Specifies the path to a file containing a PEM-format CA certificate,
# e.g. if you need to use an internal CA. # e.g. if you need to use an internal CA.