Re: [EXTERNAL] Re: SSL cert validation via Traffic Ops API
+1 > On Nov 30, 2018, at 3:47 PM, Dave Neuman wrote: > > Traffic Control only supports a very limited few (one, maybe two), so we > shouldn't need to worry about that. > > On Fri, Nov 30, 2018 at 3:14 PM Gray, Jonathan > wrote: > >> The instructions on adding a custom root CA to a server trus
Re: [EXTERNAL] Re: SSL cert validation via Traffic Ops API
Traffic Control only supports a very limited few (one, maybe two), so we shouldn't need to worry about that. On Fri, Nov 30, 2018 at 3:14 PM Gray, Jonathan wrote: > The instructions on adding a custom root CA to a server trust store are > going to vary by OS, Distro, and Major Rev. > > Jonathan
Re: [EXTERNAL] Re: SSL cert validation via Traffic Ops API
The instructions on adding a custom root CA to a server trust store are going to vary by OS, Distro, and Major Rev. Jonathan G On 11/30/18, 2:55 PM, "Rawlin Peters" wrote: On Fri, Nov 30, 2018 at 12:56 PM Hank Beatty wrote: > > +1 > > On 11/30/2018 02:43 PM, Rawlin Peter
Re: SSL cert validation via Traffic Ops API
On Fri, Nov 30, 2018 at 12:56 PM Hank Beatty wrote: > > +1 > > On 11/30/2018 02:43 PM, Rawlin Peters wrote: > > If you want your self-signed certs to be fully validated by the API, > > you will need to create an internal signing authority, sign your > > created certs using that internal signing au
Re: SSL cert validation via Traffic Ops API
I can live with it. I still feel like there should be a way to bypass the validation, but I don't have a compelling reason for that right now. Maybe when I get my hands on this new code I will, but that can be a different discussion. Thanks for the follow through Rawlin, it is much appreciated.
Re: SSL cert validation via Traffic Ops API
+1 On 11/30/2018 02:43 PM, Rawlin Peters wrote: If you want your self-signed certs to be fully validated by the API, you will need to create an internal signing authority, sign your created certs using that internal signing authority, and install the internal signing authority certs on your TO s
Re: SSL cert validation via Traffic Ops API
So, given the discussion so far, I believe this is what should be done: Validate the added certificate. If it detects an unknown authority, allow the certs to be added but return an alert with level = warning with a message stating that the certs were added successfully but use an unknown authorit
Re: SSL cert validation via Traffic Ops API
Hello Rawlin, +1 on validating certs. On #2: Would it be possible to have the API default to true and make the query parameter (?validate=false). Regards, Hank On 11/28/2018 06:45 PM, Rawlin Peters wrote: Hey Traffic Controllers, If you're running a recent release of master you may find th
Re: [EXTERNAL] Re: SSL cert validation via Traffic Ops API
FYI - TP can handle 4 alert levels: success, info, warning or error. Basically it just pops up a different colored message depending on the level value. success=green, info=blue, warning=yellow, error=red. This isn't really documented anywhere i guess except for in here: https://cwiki.apache.org/c
Re: [EXTERNAL] Re: SSL cert validation via Traffic Ops API
I'm not sure we can ever flag an untrusted authority as an error as a rule because a tenant could be creating a DS explicitly with internal trust which could be fine if their application stack could consume it. It's basically just informational to know if the cert is in a global trust or not.
Re: [EXTERNAL] Re: SSL cert validation via Traffic Ops API
Ok, I will make sure the TP checkbox says "Validate Certificates” with it checked by default. However, Jonathan does bring up a good point about emitting a warning for authority trust validation rather than an error. My worry is that things in TP are typically binary: either the operation failed o
Re: [EXTERNAL] Re: SSL cert validation via Traffic Ops API
There are some kinds of validation that should be errors such as mismatched keys, broken chains, or cert ordering problems. Authority trust validation (against the TO system trusts) should be a warning. Jonathan G On 11/29/18, 7:45 AM, "Jeremy Mitchell" wrote: +1 on not doing no double
Re: SSL cert validation via Traffic Ops API
+1 on not doing no double negatives...you know what i mean :) On Thu, Nov 29, 2018 at 6:35 AM Eric Friedrich -X (efriedri - TRITON UK BIDCO LIMITED c/o Alter Domus (UK) Limited -OBO at Cisco) wrote: > +1 > Sounds like a useful change, I know getting the right keys with the right > certs can be d
Re: SSL cert validation via Traffic Ops API
+1 as well. I like that we are validating certificates, but I think we need a way to bypass as well. I also like Eric's suggestion. On Thu, Nov 29, 2018 at 6:35 AM Eric Friedrich -X (efriedri - TRITON UK BIDCO LIMITED c/o Alter Domus (UK) Limited -OBO at Cisco) wrote: > +1 > Sounds like a use
Re: SSL cert validation via Traffic Ops API
2018-11-29
Thread
Eric Friedrich -X (efriedri - TRITON UK BIDCO LIMITED c/o Alter Domus (UK) Limited -OBO at Cisco)
+1 Sounds like a useful change, I know getting the right keys with the right certs can be difficult. Is it possible to have the TP checkbox match the “polarity” of the API query parameter? Rather than “Skip Validation”, can the checkbox say “Validate Certs” and be checked by default? Its eas
SSL cert validation via Traffic Ops API
Hey Traffic Controllers, If you're running a recent release of master you may find that you currently cannot _add_ self-signed certificates using the API (and by extension TP). However, the API still allows generating self-signed certificates. So, if your self-signed certs are generated by the API
