<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src, branch fix/T8955-http-api-verify-tls</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-02T14:49:20+00:00</updated>
<entry>
<title>http-api-client: T8955: enable TLS verification by default</title>
<updated>2026-06-02T14:49:20+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-06-02T14:49:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d0310ac0fba9d52d802160f61b662fca7601d060'/>
<id>urn:sha1:d0310ac0fba9d52d802160f61b662fca7601d060</id>
<content type='text'>
ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally
silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by
default. The sole consumer, src/op_mode/config_sync.py, builds the client
without passing verify_tls and therefore connected to a *remote* secondary VyOS
node over HTTPS without verifying the certificate -- a MITM exposure on the
channel that carries the API key and the full configuration.

- ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str];
  a string is forwarded to requests as a CA bundle path (verify=&lt;path&gt;).
- InsecureRequestWarning is suppressed only when verification is explicitly
  disabled (verify_tls is False), not when a CA path or True is set.
- config_sync reads an optional verify_tls from the secondary runtime settings,
  defaulting to False to preserve current behaviour for self-signed secondaries.
  The insecurity is now explicit at the call site instead of hidden in the
  library default. A first-class CLI knob (set service config-sync secondary
  verify-tls / ca-certificate, with XML + migration) is the follow-up.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>Merge pull request #5109 from statio/fix/vrf-aware-port-check</title>
<updated>2026-05-28T14:39:35+00:00</updated>
<author>
<name>Daniil Baturin</name>
<email>daniil@vyos.io</email>
</author>
<published>2026-05-28T14:39:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=cd619d4c355c9158497951231b1c993f8a7d26a9'/>
<id>urn:sha1:cd619d4c355c9158497951231b1c993f8a7d26a9</id>
<content type='text'>
T8454: fix VRF-bind port availability check in service_https</content>
</entry>
<entry>
<title>Merge pull request #5169 from jestabro/exclusive-mask-config-sync</title>
<updated>2026-05-28T13:40:57+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-28T13:40:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d4bb72161387132475e68c9186419f0384c28b32'/>
<id>urn:sha1:d4bb72161387132475e68c9186419f0384c28b32</id>
<content type='text'>
T8502: Add exclusion mask to config-sync</content>
</entry>
<entry>
<title>T8916: add simple nosetest for subtree_from_partial utility</title>
<updated>2026-05-28T13:31:32+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-27T13:19:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8aa9fe5d526e3a7432959e60216ca3363bde90fb'/>
<id>urn:sha1:8aa9fe5d526e3a7432959e60216ca3363bde90fb</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8502: add util for updating config-sync-exclude.json</title>
<updated>2026-05-28T13:31:26+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-20T15:50:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=803dafbaf64dd39f15094c1219b2a59d14f2781c'/>
<id>urn:sha1:803dafbaf64dd39f15094c1219b2a59d14f2781c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8502: add client support for config-sync excluded paths</title>
<updated>2026-05-28T13:31:26+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-04T19:35:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4113da576b6f934d0340cb18ae184bb25c1619c0'/>
<id>urn:sha1:4113da576b6f934d0340cb18ae184bb25c1619c0</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8502: add server support for config-sync excluded paths</title>
<updated>2026-05-28T13:31:26+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2026-05-04T19:34:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=9b6e4c75c8a362afa82c711a4254f38e8986662a'/>
<id>urn:sha1:9b6e4c75c8a362afa82c711a4254f38e8986662a</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge pull request #5074 from vyos/fix/bare-except-clauses</title>
<updated>2026-05-28T11:42:05+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2026-05-28T11:42:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=07410437cde7b1df74cf62343a47549051279f08'/>
<id>urn:sha1:07410437cde7b1df74cf62343a47549051279f08</id>
<content type='text'>
python: T8857: replace bare except clauses with except Exception in config scripts</content>
</entry>
<entry>
<title>T8454: fix VRF-bind port availability check in service_https</title>
<updated>2026-05-27T20:15:40+00:00</updated>
<author>
<name>Lee Clements</name>
<email>lclements0@gmail.com</email>
</author>
<published>2026-04-03T20:46:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=18e14cf71b3597112357b58e24fbe7aa9a7d7f4c'/>
<id>urn:sha1:18e14cf71b3597112357b58e24fbe7aa9a7d7f4c</id>
<content type='text'>
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.

Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.

Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.

service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.

Add smoke test for HTTPS with listen-address inside a VRF.

Co-authored-by: Christian Breunig &lt;christian@breunig.cc&gt;
</content>
</entry>
<entry>
<title>Merge pull request #5208 from alexandr-san4ez/T8538-current</title>
<updated>2026-05-27T19:42:01+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2026-05-27T19:42:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=238d835823ee94b2060454e1a270176001d46345'/>
<id>urn:sha1:238d835823ee94b2060454e1a270176001d46345</id>
<content type='text'>
snmp: T8538: Persist engineBoots counter across reboots</content>
</entry>
</feed>
