<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/op_mode, branch fix/T8955-http-api-verify-tls</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-02T14:49:20+00:00</updated>
<entry>
<title>http-api-client: T8955: enable TLS verification by default</title>
<updated>2026-06-02T14:49:20+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-06-02T14:49:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d0310ac0fba9d52d802160f61b662fca7601d060'/>
<id>urn:sha1:d0310ac0fba9d52d802160f61b662fca7601d060</id>
<content type='text'>
ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally
silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by
default. The sole consumer, src/op_mode/config_sync.py, builds the client
without passing verify_tls and therefore connected to a *remote* secondary VyOS
node over HTTPS without verifying the certificate -- a MITM exposure on the
channel that carries the API key and the full configuration.

- ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str];
  a string is forwarded to requests as a CA bundle path (verify=&lt;path&gt;).
- InsecureRequestWarning is suppressed only when verification is explicitly
  disabled (verify_tls is False), not when a CA path or True is set.
- config_sync reads an optional verify_tls from the secondary runtime settings,
  defaulting to False to preserve current behaviour for self-signed secondaries.
  The insecurity is now explicit at the call site instead of hidden in the
  library default. A first-class CLI knob (set service config-sync secondary
  verify-tls / ca-certificate, with XML + migration) is the follow-up.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>Merge pull request #5202 from indrajitr/T8877-pki-private-key</title>
<updated>2026-05-26T11:44:59+00:00</updated>
<author>
<name>Daniil Baturin</name>
<email>daniil@vyos.io</email>
</author>
<published>2026-05-26T11:44:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=6ef84d9a2b30c4cfb9ce298b007162bab16275aa'/>
<id>urn:sha1:6ef84d9a2b30c4cfb9ce298b007162bab16275aa</id>
<content type='text'>
pki: T8877: Add ability to show private key in pem format</content>
</entry>
<entry>
<title>conntrack: T8909: Remove connection id column from output table</title>
<updated>2026-05-25T14:15:13+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-25T14:15:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8f73bfbda0e43d83947624627ea0cdd8269521cb'/>
<id>urn:sha1:8f73bfbda0e43d83947624627ea0cdd8269521cb</id>
<content type='text'>
This cleanup enhances readability and aligns the output
with the actual data being displayed.
</content>
</entry>
<entry>
<title>pki: T8877: Add ability to show private key in pem format</title>
<updated>2026-05-19T04:33:51+00:00</updated>
<author>
<name>Indrajit Raychaudhuri</name>
<email>irc@indrajit.com</email>
</author>
<published>2026-05-15T23:26:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=88a50d1700cac0b38595b206f804a59592bdb3d2'/>
<id>urn:sha1:88a50d1700cac0b38595b206f804a59592bdb3d2</id>
<content type='text'>
Add op-mode command having ability to show private
key in pem format as part of PKI configuration.

This is needed for users who want to render the
certificate and its private key.
</content>
</entry>
<entry>
<title>traceroute: T8539: fix invalid hostname</title>
<updated>2026-04-22T05:33:44+00:00</updated>
<author>
<name>Jose Phillips</name>
<email>jose@latinol.com</email>
</author>
<published>2026-04-22T05:33:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=e1f9d876716f530e372e4d2f49eb77c800740e41'/>
<id>urn:sha1:e1f9d876716f530e372e4d2f49eb77c800740e41</id>
<content type='text'>
</content>
</entry>
<entry>
<title>traceroute: T8539: fix source-address AF lookup</title>
<updated>2026-04-21T15:32:43+00:00</updated>
<author>
<name>Jose Phillips</name>
<email>jose@latinol.com</email>
</author>
<published>2026-04-21T15:32:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=143224e4b7656c659b937153d16cd6e8cbbea1f9'/>
<id>urn:sha1:143224e4b7656c659b937153d16cd6e8cbbea1f9</id>
<content type='text'>
</content>
</entry>
<entry>
<title>traceroute: T8539: fix IPv6 hostname resolution</title>
<updated>2026-04-21T07:12:13+00:00</updated>
<author>
<name>Jose Phillips</name>
<email>jose@latinol.com</email>
</author>
<published>2026-04-21T05:49:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=29eb4d98273e84b28a8a868805358dcadc56d9e2'/>
<id>urn:sha1:29eb4d98273e84b28a8a868805358dcadc56d9e2</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge pull request #5096 from jestabro/extend-activation-system</title>
<updated>2026-04-20T20:48:43+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-04-20T20:48:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1d81dd0c6190d9fd36d01014f3b0a2d4bb91a919'/>
<id>urn:sha1:1d81dd0c6190d9fd36d01014f3b0a2d4bb91a919</id>
<content type='text'>
T8445: T8335: Extend config activation system</content>
</entry>
<entry>
<title>Merge pull request #5122 from c-po/op-mode-sensors</title>
<updated>2026-04-17T10:00:45+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2026-04-17T10:00:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=a8187bb23035fe13a5a8942ad3768d5a6c819232'/>
<id>urn:sha1:a8187bb23035fe13a5a8942ad3768d5a6c819232</id>
<content type='text'>
op-mode: T8483: fix /show_sensors.py: No such file or directory</content>
</entry>
<entry>
<title>op-mode: T8483: remove hypervisor checks from sensors detection</title>
<updated>2026-04-16T15:17:31+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2026-04-16T15:17:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4a5cb1db2b35f4300552717f75422376f381b3bd'/>
<id>urn:sha1:4a5cb1db2b35f4300552717f75422376f381b3bd</id>
<content type='text'>
Maintainers agreed to remove the CPU-flag-based hypervisor check, as it is
arbitrary and can produce incorrect behavior. Sensors can be passed through to
virtual machines, so running in a VM should not be treated differently.

If no sensors are detected - whether on a hypervisor VM or on bare metal - the
command now reports: "No sensors found".
</content>
</entry>
</feed>
