summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-06-02 17:49:20 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-06-02 17:49:20 +0300
commitd0310ac0fba9d52d802160f61b662fca7601d060 (patch)
treea6e28ae11148cb1c22d20885bce006bb02fb24a9 /src
parente238afbd6bc272b02b426f1b16fe8d16f6069c05 (diff)
downloadvyos-1x-fix/T8955-http-api-verify-tls.tar.gz
vyos-1x-fix/T8955-http-api-verify-tls.zip
http-api-client: T8955: enable TLS verification by defaultfix/T8955-http-api-verify-tls
ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by default. The sole consumer, src/op_mode/config_sync.py, builds the client without passing verify_tls and therefore connected to a *remote* secondary VyOS node over HTTPS without verifying the certificate -- a MITM exposure on the channel that carries the API key and the full configuration. - ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str]; a string is forwarded to requests as a CA bundle path (verify=<path>). - InsecureRequestWarning is suppressed only when verification is explicitly disabled (verify_tls is False), not when a CA path or True is set. - config_sync reads an optional verify_tls from the secondary runtime settings, defaulting to False to preserve current behaviour for self-signed secondaries. The insecurity is now explicit at the call site instead of hidden in the library default. A first-class CLI knob (set service config-sync secondary verify-tls / ca-certificate, with XML + migration) is the follow-up. 🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'src')
-rw-r--r--src/op_mode/config_sync.py10
1 files changed, 9 insertions, 1 deletions
diff --git a/src/op_mode/config_sync.py b/src/op_mode/config_sync.py
index d6eff7cd2..2cce972e8 100644
--- a/src/op_mode/config_sync.py
+++ b/src/op_mode/config_sync.py
@@ -68,13 +68,21 @@ def _load_config_sync_settings() -> dict:
key = secondary.get('key')
port = int(secondary.get('port', 443))
timeout = int(secondary.get('timeout')) if secondary.get('timeout') else None
+ # config-sync talks to a remote secondary over HTTPS. TLS verification is
+ # off by default because secondary nodes typically present a self-signed
+ # certificate; an operator can opt in (True, or a CA bundle path) once the
+ # runtime config exposes it. TODO: surface as a proper CLI knob
+ # (set service config-sync secondary verify-tls / ca-certificate).
+ verify_tls = secondary.get('verify_tls', False)
if not address or not key:
raise opmode.UnconfiguredObject(
'Config-sync is not fully configured: missing secondary address/key'
)
- return dict(host=address, key=key, port=port, timeout=timeout)
+ return dict(
+ host=address, key=key, port=port, timeout=timeout, verify_tls=verify_tls
+ )
class ConfigSyncDiffManager: