Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS client is build with InsecureSkipVerify #1263

Closed
aman-bansal opened this issue Oct 15, 2020 · 10 comments
Closed

TLS client is build with InsecureSkipVerify #1263

aman-bansal opened this issue Oct 15, 2020 · 10 comments
Labels
auth enhancement New feature or request stale All issues that are marked as stale due to inactivity

Comments

@aman-bansal
Copy link
Contributor

InsecureSkipVerify while defined TLS client is not recommended in production systems. This is susceptible to man in the middle attack. Only for internal testing, this should be enabled.

Expected Behavior

One of the hidden features of TLS is hostname verification. While defining client, ServerName verification is needed to detect if there is any routing via man in the middle attack. For this to work, the client should know which server he is expecting the results. It works automatically if the hostname is matched to the server name provided in the certificate. Otherwise, we need to specify it separately.

Actual Behavior

InsecureSkipVerify is being used and thus hostname verification is skipped.

Specifications

Present in all versions

Solution / Suggestion

I believe for every scaler using TLS server name should be added as an additional trigger parameter. If not provided, we will use InsecureSkipVerify.

Let's discuss how best we can achieve this. And I would love to pick this up too.
cc. @ahmelsayed @zroubalik @tomkerkhove @turbaszek
@aman-bansal aman-bansal added the bug Something isn't working label Oct 15, 2020
@aman-bansal aman-bansal mentioned this issue Oct 16, 2020
Closed
4 tasks
@arschles
Copy link
Contributor

https://github.com/kedacore/keda/pull/1251/files makes some progress towards this. creation of HTTP requests is limited to 1-2 points in the code

@tomkerkhove
Copy link
Member

Is this just for RabbitMQ @aman-bansal?

@tomkerkhove tomkerkhove added auth enhancement New feature or request and removed bug Something isn't working labels Oct 27, 2020
@aman-bansal
Copy link
Contributor Author

No it's something that has been present at every place where we work with TLS. RabbitMQ, Kafka, Metric api everywhere.

@marchmallow
Copy link
Contributor

We could help support it for Redis TLS too

@arschles
Copy link
Contributor

arschles commented Nov 6, 2020

#1251 (comment) for related discussion on this

@stale
Copy link

stale bot commented Oct 13, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Oct 13, 2021
@arschles
Copy link
Contributor

It seems that this issue should stay open. Our TLS clients should, by default, not be built with InsecureSkipVerify

@stale stale bot removed the stale All issues that are marked as stale due to inactivity label Oct 18, 2021
@stale
Copy link

stale bot commented Dec 17, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Dec 17, 2021
@stale
Copy link

stale bot commented Dec 25, 2021

This issue has been automatically closed due to inactivity.

@stale stale bot closed this as completed Dec 25, 2021
@debu99
Copy link

debu99 commented Oct 29, 2022

looks like rabbitmq doesn't support it yet until now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth enhancement New feature or request stale All issues that are marked as stale due to inactivity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@arschles @tomkerkhove @marchmallow @aman-bansal @debu99