SSL and Chef
As Chef has grown up, we've found that we've needed to revisit some
decisions we made when Chef was an unruly upstart open source project.
One such decision is how Chef handles HTTPS connections by default.
Currently, Chef defaults to not verifying certificates when it makes
HTTPS connections. There are a number of reasons why this choice made
sense at the time, but now they're either no longer valid or not strong
enough to justify keeping this unsecure default behavior.
Over the next few Chef releases, we'll be introducing changes and
tooling that will enable us to start verifying certificate authenticity
by default. One of the biggest challenges we face is providing a humane
interface to understanding and fixing SSL errors when they occur. We
know from experience and example that when changes like this are done
poorly, some frustrated users react by disabling the added security
protections because it's the simplest path to making the errors stop.
This is counterproductive, so we'll be working hard to make sure the
transition is smooth and users have the tools they need to understand
and fix SSL errors the right way.
For many Chef users, enabling SSL validation by default will be a
breaking change, so it will take time before we can flip the switch. If
you want to enable certificate validation in chef-client right now, you
can simply set ssl_verify_mode :verify_peer
in your config file.
Updates in 11.8
Chef 11.8 contains the first batch of changes related to enabling SSL
validation by default. In this release, we've added:
verify_api_cert
config option: This setting enables SSL validationtrusted_certs
directory: Any certificates placed in thetrusted_certs
directory (/etc/chef/trusted_certs
by default on UNIX)SSL_CERT_FILE
environment variable to make ruby useNear Future Updates
The updates in Chef 11.8 prepare us for the next steps.
trusted_certs
: In order to make SSL validationknife bootstrap
Future Updates
Once all of the above features are in place, we'll enable certificate
validation by default in the next major release of Chef.
Resources
If you'd like to understand Ruby's handling of SSL certificates in
depth, Mislav wrote an excellent post on this topic
and he has also published a set of scripts to help debug SSL issues.