unbound: user-defined CAs#10283
Conversation
| 'stream': True | ||
| } | ||
| if os.path.exists('/usr/local/etc/ssl/cert.pem'): | ||
| req_opts['verify'] = '/usr/local/etc/ssl/cert.pem' |
There was a problem hiding this comment.
what I don't get is that REQUESTS_CA_BUNDLE should be set:
And this should work for other scripting already.
There was a problem hiding this comment.
requests.get() seems to need a verify argument to include CAs other the ones it is bundled with.
configd doesn't seem up to the task.
There was a problem hiding this comment.
that's pretty weird, I'm quite sure this used to work earlier as also specified in https://requests.readthedocs.io/en/latest/user/advanced/
This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable. I
There was a problem hiding this comment.
When you are using the prepared request flow, keep in mind that it does not take into account the environment. This can cause problems if you are using environment variables to change the behaviour of requests. For example: Self-signed SSL certificates specified in REQUESTS_CA_BUNDLE will not be taken into account. As a result an SSL: CERTIFICATE_VERIFY_FAILED is thrown.
There was a problem hiding this comment.
In either case I don't like hardcoding this everywhere it is deemed necessary.
There was a problem hiding this comment.
When you are using the prepared request flow, keep in mind that it does not take into account the environment. This can cause problems if you are using environment variables to change the behaviour of requests. For example: Self-signed SSL certificates specified in REQUESTS_CA_BUNDLE will not be taken into account. As a result an SSL: CERTIFICATE_VERIFY_FAILED is thrown.
sure, but we're not talking about a self-signed cert, but a cert signed by a self created CA, which is basically the same as any other CA in the list, unless we're trying to create a self-signed cert which does not belong to a CA.....
just to be sure, you did try this yourself?
There was a problem hiding this comment.
Self signed certs also work when uploading them to Authorities.
There was a problem hiding this comment.
I could imagine that to be some sort of difference, but indeed it isn't env and parameter should be the same according the source. Just leaving this here for reference.
There was a problem hiding this comment.
Upon further reflection, I believe they just tried to manually update the list without engaging configd...
Sorry for the wasted time.
Maybe the button should be renamed to "Apply & Update Blocklists" similarly to how Suricata displays it.
There was a problem hiding this comment.
@fichtner Is there merit to this, or should we close it?
Maybe the button should be renamed to "Apply & Update Blocklists" similarly to how Suricata rules display it.
3 participants
Important notices
Before you submit a pull request, we ask you kindly to acknowledge the following:
Related issue
Closes: #10281