Uploaded image for project: 'MicroShift'
  1. MicroShift
  2. USHIFT-1019

Fix Authenticity Check of SSL/TLS Connection is Skipped

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • uShift Sprint 233

      Description of problem:

      Severity: Moderate

There are several occurrences where the authenticity of a TLS connection is not verified. For example:

./pkg/controllers/etcd.go
./pkg/controllers/kube-controller-manager.go
./pkg/controllers/kube-scheduler.go
./pkg/node/kubelet.go

In ./pkg/util/net.go, a dedicated function RetryInsecureHttpsGet() is defined, which uses InsecureSkipVerify.

It's recommended not to use InsecureSkipVerify. Be careful of potential Man-in-the-Middle attacks.
 

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

       

      Expected results:

       

      Additional info:

       

              pacevedo@redhat.com Pablo Acevedo Montserrat
              pacevedo@redhat.com Pablo Acevedo Montserrat
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: