<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/op_mode/config_sync.py, branch fix/T8955-http-api-verify-tls</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-02T14:49:20+00:00</updated>
<entry>
<title>http-api-client: T8955: enable TLS verification by default</title>
<updated>2026-06-02T14:49:20+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-06-02T14:49:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d0310ac0fba9d52d802160f61b662fca7601d060'/>
<id>urn:sha1:d0310ac0fba9d52d802160f61b662fca7601d060</id>
<content type='text'>
ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally
silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by
default. The sole consumer, src/op_mode/config_sync.py, builds the client
without passing verify_tls and therefore connected to a *remote* secondary VyOS
node over HTTPS without verifying the certificate -- a MITM exposure on the
channel that carries the API key and the full configuration.

- ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str];
  a string is forwarded to requests as a CA bundle path (verify=&lt;path&gt;).
- InsecureRequestWarning is suppressed only when verification is explicitly
  disabled (verify_tls is False), not when a CA path or True is set.
- config_sync reads an optional verify_tls from the secondary runtime settings,
  defaulting to False to preserve current behaviour for self-signed secondaries.
  The insecurity is now explicit at the call site instead of hidden in the
  library default. A first-class CLI knob (set service config-sync secondary
  verify-tls / ca-certificate, with XML + migration) is the follow-up.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>config-sync: T7784: Add command to diff configuration with secondary node</title>
<updated>2026-04-01T08:30:15+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-03-24T13:26:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=54fc0e1199625c8b6223e5d034bf895cfbf57c77'/>
<id>urn:sha1:54fc0e1199625c8b6223e5d034bf895cfbf57c77</id>
<content type='text'>
Add a new operational command to compare configuration between
nodes participating in config synchronization.

New command:
  - `show configuration secondary sync [commands] [running|candidate|saved] [config-node-path]`.

This allows operators to view configuration differences across secondary peer
before applying or syncing changes.

Supports:
  - displaying using raw diff and 'commands' format;
  - optional section filtering (subtree comparison);
  - selectable config source (running, candidate, saved).
</content>
</entry>
</feed>
