Skip to content

Self-signed certificates are not validated correctly

Per this line:

https://gitlab.com/gitlab-org/gitlab-shell/blob/master/lib/gitlab_net.rb#L167

    if uri.is_a?(URI::HTTPS)
      http.use_ssl = true
      http.cert_store = cert_store
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if config.http_settings['self_signed_cert']
    end

This renders us vulnerable to man-in-the-middle attacks when self_signed_cert is truthy, which is unexpected behaviour.

When we're using a self-signed certificate, we should have a copy of that certificate on the gitlab-shell side. When we connect to gitlab-ce, we should verify that the server-presented certificate exactly matches the certificate we have. Instead, we're allowing any certificate to be accepted.

I don't know how much of a problem this is in the wild, I just spotted it in passing.

/cc @rspeicher @kathyw @jritchey

For context: gitlab-shell makes calls to gitlab-ce's internal HTTP(S) API to verify whether actions are permitted or not. If someone could MitM the traffic, they could return "yes" instead of "no" to gain access to things - but managing to MitM it is quite a large barrier in most setups.

Edited by Sean Carroll