cf-deployment
cf-deployment copied to clipboard
cloudfoundry
Validate component certs by default
What is this issue about?
cf-deployment currently skips verification of certificates for certain inter-component communications by default, with an ops file to stop skipping certificate validation.
We would expect the reverse, that cf-deployment be the most secure by default, with an ops file to make it insecure as desired.
What version of cf-deployment are you using?
cf-deployment v17.1.0
Please include the bosh deploy... command, including all the operations files (plus any experimental operation files you're using):
N/A
Please provide output that helps describe the issue:
N/A
What IaaS is this issue occurring on?
N/A
Is there anything else unique or special about your setup?
N/A
Tag your pair, your PM, and/or team!
@mkocher @acrmp
We tried to resolve this in #952. However, the CF-D pipeline environments use self-signed certs, which prevented tests from passing. Therefore, created we were forced to revert that PR, and have created this issue to track future work.
Tim Downey also noted that many of the present cert validation skips are in place due to a long-standing issue with validating certs for space-scoped service brokers in CC_NG.