Proof of concept for validating certificates
Description
In #3202 (closed) we have a good amount of information why we can not upgrade to Go 1.9 just yet. Since we are having a hard time scheduling, and planning it. It was decided to first create a proof of concept (max 3-5 days spent) on investigating and creating a working solution for validating the certificates.
Proposal
There is already a WIP MR !902 (closed) that tries to do this.
Another option would be:
- Detect if there are any custom certificates in
/etc/ssl/certs - If there are files, us the 1.8 validation/building of the certificate chain (This code can be taken from the Go source code as long as we keep the copyright notice at the beginning of the file.)
- If not present use Gos native 1.9 validation/building of the certificate chain
Links to related issues and merge requests / references
Development Log
- June 10th 2019: Testing all possible scenarios for a week and understanding the problem #4019 (comment 180612235)
- June 17th 2019: Blocked with no plan forward #4019 (comment 182048981)
- June 20th 2019: Spoke with Alessio with a plan forward #4019 (comment 183449862)
- August 8th 2019: #4019 (comment 201586323)
- August 9th 2019: #4019 (comment 202085171)
Current plan
- Check if for the omnibus & helm charts we send the full certificate chain
- Start using the certificate return from the request in the git config value instead of the validated one.
- Provide a feature flag to switch back to the old method.