summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-06-02 17:49:20 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-06-02 17:49:20 +0300
commitd0310ac0fba9d52d802160f61b662fca7601d060 (patch)
treea6e28ae11148cb1c22d20885bce006bb02fb24a9 /python
parente238afbd6bc272b02b426f1b16fe8d16f6069c05 (diff)
downloadvyos-1x-fix/T8955-http-api-verify-tls.tar.gz
vyos-1x-fix/T8955-http-api-verify-tls.zip
http-api-client: T8955: enable TLS verification by defaultfix/T8955-http-api-verify-tls
ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by default. The sole consumer, src/op_mode/config_sync.py, builds the client without passing verify_tls and therefore connected to a *remote* secondary VyOS node over HTTPS without verifying the certificate -- a MITM exposure on the channel that carries the API key and the full configuration. - ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str]; a string is forwarded to requests as a CA bundle path (verify=<path>). - InsecureRequestWarning is suppressed only when verification is explicitly disabled (verify_tls is False), not when a CA path or True is set. - config_sync reads an optional verify_tls from the secondary runtime settings, defaulting to False to preserve current behaviour for self-signed secondaries. The insecurity is now explicit at the call site instead of hidden in the library default. A first-class CLI knob (set service config-sync secondary verify-tls / ca-certificate, with XML + migration) is the follow-up. 🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'python')
-rw-r--r--python/vyos/http_api_client.py14
1 files changed, 11 insertions, 3 deletions
diff --git a/python/vyos/http_api_client.py b/python/vyos/http_api_client.py
index ae16cfa54..c40621bc7 100644
--- a/python/vyos/http_api_client.py
+++ b/python/vyos/http_api_client.py
@@ -19,6 +19,7 @@ import json
import urllib3
import requests
from typing import Optional
+from typing import Union
from dataclasses import dataclass
from vyos.version import get_version
@@ -51,7 +52,11 @@ class ApiClientConfig:
key: str
port: int = 443
timeout: Optional[int] = None
- verify_tls: bool = False
+ # TLS peer verification, forwarded verbatim to requests' ``verify``:
+ # True - verify against the system CA store (secure default)
+ # False - disable verification (insecure; opt-in only)
+ # "<path>" - verify against a custom CA bundle file/dir
+ verify_tls: Union[bool, str] = True
class ApiClient:
@@ -60,7 +65,8 @@ class ApiClient:
Design goals:
- minimal surface area (thin wrapper around requests)
- consistent error handling + typed exceptions
- - safe defaults for VyOS typical self-signed HTTPS usage (verify_tls=False)
+ - secure defaults (verify_tls=True); deployments using self-signed
+ certificates opt into verify_tls=False or supply a CA bundle path
"""
_DEFAULT_HEADERS = {
@@ -77,7 +83,9 @@ class ApiClient:
self._session = requests.Session()
self._session.headers.update(self._DEFAULT_HEADERS)
- if not config.verify_tls:
+ # Only silence the insecure-request warning when verification has been
+ # explicitly disabled. A CA bundle path or True must keep warnings on.
+ if config.verify_tls is False:
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
@property