Comment 3 for bug 1639807

Revision history for this message
Jiri Tomasek (jtomasek) wrote :

First that comes to mind is why using ssl when the certificates end up being self signed.

There appears to be 'rejectUnauthorized' option in server side oriented libraries which handle xmlhttp requests. We currently use reqwest [1] library for handling ajax calls which seems not to provide any of such options (and by looking at other tools such as Fetch it does not seem that it is available anywhere else), but even if such option was available, it would have to be tied to a development environment only.

By doing some investigation, I see there is an option in firefox (an most probably in other browsers too) which allow to automatically accept invalid ssl certificates ([2]) this is obviously very insecure, but it imho matches the insecurity of using self-signed certificates.

I'd probably favor not enabling ssl for installing undercloud for testing purposes. If testing ssl and GUI at once, then mentioned browser option should be probably used.

[1] https://www.npmjs.com/package/reqwest
[2] http://stackoverflow.com/questions/20088/is-there-a-way-to-make-firefox-ignore-invalid-ssl-certificates

Additional links:
http://stackoverflow.com/questions/30902547/websocket-ssl-connection
http://stackoverflow.com/questions/32892161/ignore-errors-for-self-signed-ssl-certs-using-the-fetch-api-in-a-reactnative-app/36368360#36368360