<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/python, branch fix/T8955-http-api-verify-tls</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-02T14:49:20+00:00</updated>
<entry>
<title>http-api-client: T8955: enable TLS verification by default</title>
<updated>2026-06-02T14:49:20+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-06-02T14:49:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d0310ac0fba9d52d802160f61b662fca7601d060'/>
<id>urn:sha1:d0310ac0fba9d52d802160f61b662fca7601d060</id>
<content type='text'>
ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally
silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by
default. The sole consumer, src/op_mode/config_sync.py, builds the client
without passing verify_tls and therefore connected to a *remote* secondary VyOS
node over HTTPS without verifying the certificate -- a MITM exposure on the
channel that carries the API key and the full configuration.

- ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str];
  a string is forwarded to requests as a CA bundle path (verify=&lt;path&gt;).
- InsecureRequestWarning is suppressed only when verification is explicitly
  disabled (verify_tls is False), not when a CA path or True is set.
- config_sync reads an optional verify_tls from the secondary runtime settings,
  defaulting to False to preserve current behaviour for self-signed secondaries.
  The insecurity is now explicit at the call site instead of hidden in the
  library default. A first-class CLI knob (set service config-sync secondary
  verify-tls / ca-certificate, with XML + migration) is the follow-up.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>nat: T8939: fix KeyError: 'group' exception</title>
<updated>2026-05-28T20:03:40+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2026-05-28T20:03:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=960e730bdde2f3561aa3cff8941e2f9db8eb32d8'/>
<id>urn:sha1:960e730bdde2f3561aa3cff8941e2f9db8eb32d8</id>
<content type='text'>
Prevent access to missing dictionary key by probing for availability. On removal
of inbound-interface or outbound-interface name CLI node, there was a guard
missing when accessing the CLI dictionary containing the config data.
</content>
</entry>
<entry>
<title>Merge pull request #5109 from statio/fix/vrf-aware-port-check</title>
<updated>2026-05-28T14:39:35+00:00</updated>
<author>
<name>Daniil Baturin</name>
<email>daniil@vyos.io</email>
</author>
<published>2026-05-28T14:39:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=cd619d4c355c9158497951231b1c993f8a7d26a9'/>
<id>urn:sha1:cd619d4c355c9158497951231b1c993f8a7d26a9</id>
<content type='text'>
T8454: fix VRF-bind port availability check in service_https</content>
</entry>
<entry>
<title>T8916: allow passing ReferenceTree instance to subtree_from_partial</title>
<updated>2026-05-28T13:31:32+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-27T13:16:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=9ff29049d42dbd40ede1c4507bc6598e0403ce46'/>
<id>urn:sha1:9ff29049d42dbd40ede1c4507bc6598e0403ce46</id>
<content type='text'>
For use in nosetests or other, allow passing ReferenceTree from an
internal cache in a non-standard location.
</content>
</entry>
<entry>
<title>T8502: add server support for config-sync excluded paths</title>
<updated>2026-05-28T13:31:26+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-04T19:34:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=9b6e4c75c8a362afa82c711a4254f38e8986662a'/>
<id>urn:sha1:9b6e4c75c8a362afa82c711a4254f38e8986662a</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8502: add library support for config-sync exclude paths</title>
<updated>2026-05-28T13:31:26+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-05T18:50:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=bc541bbcc3e7da924ab1d21aed360eba09621e0b'/>
<id>urn:sha1:bc541bbcc3e7da924ab1d21aed360eba09621e0b</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8502: add list of global config-sync exclude paths</title>
<updated>2026-05-28T13:31:21+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-04T19:33:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8b2d2a80c0f9272d80ee4d90077978c9e43021b9'/>
<id>urn:sha1:8b2d2a80c0f9272d80ee4d90077978c9e43021b9</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8454: fix VRF-bind port availability check in service_https</title>
<updated>2026-05-27T20:15:40+00:00</updated>
<author>
<name>Lee Clements</name>
<email>lclements0@gmail.com</email>
</author>
<published>2026-04-03T20:46:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=18e14cf71b3597112357b58e24fbe7aa9a7d7f4c'/>
<id>urn:sha1:18e14cf71b3597112357b58e24fbe7aa9a7d7f4c</id>
<content type='text'>
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.

Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.

Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.

service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.

Add smoke test for HTTPS with listen-address inside a VRF.

Co-authored-by: Christian Breunig &lt;christian@breunig.cc&gt;
</content>
</entry>
<entry>
<title>Merge pull request #5157 from xTITUSMAXIMUSX/current</title>
<updated>2026-05-26T15:27:03+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-26T15:27:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=f420c2913a30cac5d61f94061466f6f6ccf7d81c'/>
<id>urn:sha1:f420c2913a30cac5d61f94061466f6f6ccf7d81c</id>
<content type='text'>
geoip: T8590: fix initialization failure and set clobbering on boot and commit</content>
</entry>
<entry>
<title>wwan: T8412: Fix commit failure when modem is absent or not connected</title>
<updated>2026-05-22T13:54:27+00:00</updated>
<author>
<name>Nataliia Solomko</name>
<email>natalirs1985@gmail.com</email>
</author>
<published>2026-05-22T13:54:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8a537e8097ac80c696299d267e1dd1c9b6000bab'/>
<id>urn:sha1:8a537e8097ac80c696299d267e1dd1c9b6000bab</id>
<content type='text'>
`mmcli --simple-disconnect` can be called when the modem bearer is not active.
This causes cmd() to raise a `PermissionError` and abort the commit.
Handle the case gracefully so the configuration can be committed before the modem
is physically present or fully connected.
</content>
</entry>
</feed>
