RFE: Need an alternative to trust a certificate without re-building the IPA image
Bug #1616495 reported by
Juan Antonio Osorio Robles
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ironic-python-agent |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
Currently the only way to trust a certificate that isn't included in the CA bundle used by requests is to add the self-signed certificate (or CA certificate) to the image, which requires to re-build the IPA image. This is not always possible. For instance, for companies that provide images to customers, the hash of the IPA image is registered for support purposes.
the proposal is to get the fingerprint from configuration provided to the IPA and compare that to the one that the server IPA will contact is exposing. If they match then we can trust that certificate. This doesn't provide full security, but a basic integrity check is enough in some environments.
| Changed in ironic-python-agent: | |
| assignee: | nobody → Juan Antonio Osorio Robles (juan-osorio-robles) |
| status: | New → In Progress |
| summary: |
- Need an alternative to trust a certificate without re-building the IPA - iamge + RFE: Need an alternative to trust a certificate without re-building the + IPA image |
| tags: | added: rfe |
Revision history for this message
| Jim Rollenhagen (jim-rollenhagen) wrote | #1 |
| Changed in ironic-python-agent: | |
| importance: | Undecided → Wishlist |
| tags: |
added: rfe-approved removed: rfe |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on ironic-python-agent (master) | #2 |
| Changed in ironic-python-agent: | |
| status: | In Progress → Triaged |
| assignee: | Juan Antonio Osorio Robles (juan-osorio-robles) → nobody |
To post a comment you must log in.
I think this seems fine, but would like a couple other specs cores to look at it as well.
For the record, the corresponding patch is here: https:/