Uploaded image for project: 'MicroShift'
  1. MicroShift
  2. USHIFT-1019

Fix Authenticity Check of SSL/TLS Connection is Skipped

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • uShift Sprint 233

    Description

      Description of problem:

      Severity: Moderate

There are several occurrences where the authenticity of a TLS connection is not verified. For example:

./pkg/controllers/etcd.go
./pkg/controllers/kube-controller-manager.go
./pkg/controllers/kube-scheduler.go
./pkg/node/kubelet.go

In ./pkg/util/net.go, a dedicated function RetryInsecureHttpsGet() is defined, which uses InsecureSkipVerify.

It's recommended not to use InsecureSkipVerify. Be careful of potential Man-in-the-Middle attacks.
 

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

       

      Expected results:

       

      Additional info:

       

      Attachments

        Activity

          People

            pacevedo@redhat.com Pablo Acevedo Montserrat
            pacevedo@redhat.com Pablo Acevedo Montserrat
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: