Set FF_RESOLVE_FULL_TLS_CHAIN to false by default (!4292) · Merge requests · GitLab.org / gitlab-runner

Stan Hu requested to merge sh-resolve-full-tls-chain-ff-false into main Aug 14, 2023

We added the FF_RESOLVE_FULL_TLS_CHAIN feature flag in !3699 (merged) to address TLS verification issues on macOS since macOS stopped allowing SHA-1 certificates (#29373 (closed)).

However, this feature flag can probably be set to false now that most runners are using a fairly recent version of libcurl. libcurl v7.68 has since fixed the behavior to trust a certificate authority that is not self-signed. As a result, the need to resolve the full chain is no longer necessary. As long as there is a trusted certificate authority in the chain, the TLS connection can proceed.

This would also help avoid needing to decode certificates in the first place (https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36318).

Relates to #36319 (closed)

Edited Aug 14, 2023 by Stan Hu

Set FF_RESOLVE_FULL_TLS_CHAIN to false by default

Merge request reports