> We need to move away from this pervasive assumption that private networks are secure.
I can certainly relate to that. The question is, when does a missing important security feature become a vulnerability ?
Advertising encryption between components while not properly implementing it is definitely a vulnerability in my book (we issued OSSAs for that in the past, and have another in the pipe coming up). In the precise case of this bug it's slightly more blurry: "use_ssl" parameters are more to allow servers to connect to other services that are configured to only accept SSL, than to "encrypt internal communications". I agree that it can still be seen as "advertising encryption while not properly encrypting" though... so I'm OK with embargo/OSSA on this.
The remaining question is how to fix this in stable branches ? We are not supposed to introduce new configuration parameters in stable branches. We also need to not break anyone on upgrade, and there is no good default value for ca_file. Could we piggyback on a Python library that uses the local system cert store ?
> We need to move away from this pervasive assumption that private networks are secure.
I can certainly relate to that. The question is, when does a missing important security feature become a vulnerability ?
Advertising encryption between components while not properly implementing it is definitely a vulnerability in my book (we issued OSSAs for that in the past, and have another in the pipe coming up). In the precise case of this bug it's slightly more blurry: "use_ssl" parameters are more to allow servers to connect to other services that are configured to only accept SSL, than to "encrypt internal communications". I agree that it can still be seen as "advertising encryption while not properly encrypting" though... so I'm OK with embargo/OSSA on this.
The remaining question is how to fix this in stable branches ? We are not supposed to introduce new configuration parameters in stable branches. We also need to not break anyone on upgrade, and there is no good default value for ca_file. Could we piggyback on a Python library that uses the local system cert store ?