Enable SSL certification verification by default with Fog access
What does this MR do and why?
Previously Fog would not check whether the server's certificates were expired or were trusted. This behavior allowed build traces to upload successfully, but they would not be downloadable by the user.
Relates to gitlab-org/charts/gitlab#3478 (moved)
Closes #370858 (closed)
How to set up and validate locally
In the Rails console, run Excon::get('https://expired.badssl.com/'). Notice it passes in master:
irb(main):005:0> Excon::get('https://expired.badssl.com/')
=> #<Excon::Response:0x00007fee04342200 @data={:body=>"<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <link rel=\"shortcut icon\" href=\"/icons/favicon-red.ico\"/>\n <link rel=\"apple-touch-icon\" href=\"/icons/icon-red.png\"/>\n <title>expired.badssl.com</title>\n <link rel=\"stylesheet\" href=\"/style.css\">\n <style>body { background: red; }</style>\n</head>\n<body>\n<div id=\"content\">\n <h1 style=\"font-size: 12vw;\">\n expired.<br>badssl.com\n </h1>\n</div>\n\n</body>\n</html>\n", :cookies=>[], :host=>"expired.badssl.com", :headers=>{"Server"=>"nginx/1.10.3 (Ubuntu)", "Date"=>"Tue, 16 Aug 2022 16:08:43 GMT", "Content-Type"=>"text/html", "Content-Length"=>"494", "Last-Modified"=>"Fri, 12 Aug 2022 15:59:21 GMT", "Connection"=>"keep-alive", "ETag"=>"\"62f678d9-1ee\"", "Cache-Control"=>"no-store", "Accept-Ranges"=>"bytes"}, :path=>"/", :port=>443, :status=>200, :status_line=>"HTTP/1.1 200 OK\r\n", :reason_phrase=>"OK", :remote_ip=>"104.154.89.105", :local_port=>46564, :local_address=>"172.30.0.215"}, @body="<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <link rel=\"shortcut icon\" href=\"/icons/favicon-red.ico\"/>\n <link rel=\"apple-touch-icon\" href=\"/icons/icon-red.png\"/>\n <title>expired.badssl.com</title>\n <link rel=\"stylesheet\" href=\"/style.css\">\n <style>body { background: red; }</style>\n</head>\n<body>\n<div id=\"content\">\n <h1 style=\"font-size: 12vw;\">\n expired.<br>badssl.com\n </h1>\n</div>\n\n</body>\n</html>\n", @headers={"Server"=>"nginx/1.10.3 (Ubuntu)", "Date"=>"Tue, 16 Aug 2022 16:08:43 GMT", "Content-Type"=>"text/html", "Content-Length"=>"494", "Last-Modified"=>"Fri, 12 Aug 2022 15:59:21 GMT", "Connection"=>"keep-alive", "ETag"=>"\"62f678d9-1ee\"", "Cache-Control"=>"no-store", "Accept-Ranges"=>"bytes"}, @status=200, @remote_ip="104.154.89.105", @local_port=46564, @local_address="172.30.0.215">With this branch:
[2] pry(main)> Excon::get('https://expired.badssl.com/')
Excon::Error::Certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon. Excon has certificates bundled, but these can be customized:
`Excon.defaults[:ssl_ca_path] = path_to_certs`
`ENV['SSL_CERT_DIR'] = path_to_certs`
`Excon.defaults[:ssl_ca_file] = path_to_file`
`ENV['SSL_CERT_FILE'] = path_to_file`
`Excon.defaults[:ssl_verify_callback] = callback`
(see OpenSSL::SSL::SSLContext#verify_callback)
or:
`Excon.defaults[:ssl_verify_peer] = false` (less secure).
from /Users/stanhu/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/excon-0.90.0/lib/excon/ssl_socket.rb:142:in `connect_nonblock'
Caused by OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
from /Users/stanhu/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/excon-0.90.0/lib/excon/ssl_socket.rb:142:in `connect_nonblock'MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jason Plum