From d0310ac0fba9d52d802160f61b662fca7601d060 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Tue, 2 Jun 2026 17:49:20 +0300 Subject: http-api-client: T8955: enable TLS verification by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ApiClientConfig.verify_tls defaulted to False and ApiClient unconditionally silenced urllib3's InsecureRequestWarning, so TLS peer verification was off by default. The sole consumer, src/op_mode/config_sync.py, builds the client without passing verify_tls and therefore connected to a *remote* secondary VyOS node over HTTPS without verifying the certificate -- a MITM exposure on the channel that carries the API key and the full configuration. - ApiClientConfig.verify_tls now defaults to True and accepts Union[bool, str]; a string is forwarded to requests as a CA bundle path (verify=). - InsecureRequestWarning is suppressed only when verification is explicitly disabled (verify_tls is False), not when a CA path or True is set. - config_sync reads an optional verify_tls from the secondary runtime settings, defaulting to False to preserve current behaviour for self-signed secondaries. The insecurity is now explicit at the call site instead of hidden in the library default. A first-class CLI knob (set service config-sync secondary verify-tls / ca-certificate, with XML + migration) is the follow-up. 🤖 Generated by [robots](https://vyos.io) --- python/vyos/http_api_client.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'python') diff --git a/python/vyos/http_api_client.py b/python/vyos/http_api_client.py index ae16cfa54..c40621bc7 100644 --- a/python/vyos/http_api_client.py +++ b/python/vyos/http_api_client.py @@ -19,6 +19,7 @@ import json import urllib3 import requests from typing import Optional +from typing import Union from dataclasses import dataclass from vyos.version import get_version @@ -51,7 +52,11 @@ class ApiClientConfig: key: str port: int = 443 timeout: Optional[int] = None - verify_tls: bool = False + # TLS peer verification, forwarded verbatim to requests' ``verify``: + # True - verify against the system CA store (secure default) + # False - disable verification (insecure; opt-in only) + # "" - verify against a custom CA bundle file/dir + verify_tls: Union[bool, str] = True class ApiClient: @@ -60,7 +65,8 @@ class ApiClient: Design goals: - minimal surface area (thin wrapper around requests) - consistent error handling + typed exceptions - - safe defaults for VyOS typical self-signed HTTPS usage (verify_tls=False) + - secure defaults (verify_tls=True); deployments using self-signed + certificates opt into verify_tls=False or supply a CA bundle path """ _DEFAULT_HEADERS = { @@ -77,7 +83,9 @@ class ApiClient: self._session = requests.Session() self._session.headers.update(self._DEFAULT_HEADERS) - if not config.verify_tls: + # Only silence the insecure-request warning when verification has been + # explicitly disabled. A CA bundle path or True must keep warnings on. + if config.verify_tls is False: urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) @property -- cgit v1.2.3