Merge branch 'mk-default-ldap-verify-certificates-secure' into 'master'

Default LDAP config verify_certificates to true Closes #33662 See merge request !13915

Merge branch 'mk-default-ldap-verify-certificates-secure' into 'master'
Default LDAP config verify_certificates to true Closes #33662 See merge request !13915
073f6f08 · Douwe Maan · a0b56846 · da6fede9 · 073f6f08 · 073f6f08
Commit 073f6f08 authored Aug 31, 2017 by Douwe Maan
4 changed files
--- a/changelogs/unreleased/mk-default-ldap-verify-certificates-secure.yml
+++ b/changelogs/unreleased/mk-default-ldap-verify-certificates-secure.yml
+---
+title: Default LDAP config "verify_certificates" to true for security
+merge_request: 13915
+author:
+type: changed
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -273,9 +273,8 @@ production: &base
        encryption: 'plain'

        # Enables SSL certificate verification if encryption method is
-        # "start_tls" or "simple_tls". (Defaults to false for backward-
-        # compatibility)
-        verify_certificates: false
+        # "start_tls" or "simple_tls". Defaults to true.
+        verify_certificates: true

        # Specifies the path to a file containing a PEM-format CA certificate,
        # e.g. if you need to use an internal CA.

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -155,18 +155,11 @@ if Settings.ldap['enabled'] || Rails.env.test?
    server['encryption'] = 'simple_tls' if server['encryption'] == 'ssl'
    server['encryption'] = 'start_tls' if server['encryption'] == 'tls'

-    # Certificates are not verified for backwards compatibility.
-    # This default should be flipped to true in 9.5.
-    if server['verify_certificates'].nil?
-      server['verify_certificates'] = false
-
-      message = <<-MSG.strip_heredoc
-        LDAP SSL certificate verification is disabled for backwards-compatibility.
-        Please add the "verify_certificates" option to gitlab.yml for each LDAP
-        server. Certificate verification will be enabled by default in GitLab 9.5.
-      MSG
-      Rails.logger.warn(message)
-    end
+    # Certificate verification was added in 9.4.2, and defaulted to false for
+    # backwards-compatibility.
+    #
+    # Since GitLab 10.0, verify_certificates defaults to true for security.
+    server['verify_certificates'] = true if server['verify_certificates'].nil?

    Settings.ldap['servers'][key] = server
  end

--- a/doc/administration/auth/ldap.md
+++ b/doc/administration/auth/ldap.md
@@ -87,9 +87,12 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
  encryption: 'plain'

  # Enables SSL certificate verification if encryption method is
-  # "start_tls" or "simple_tls". (Defaults to false for backward-
-  # compatibility)
-  verify_certificates: false
+  # "start_tls" or "simple_tls". Defaults to true since GitLab 10.0 for
+  # security. This may break installations upon upgrade to 10.0, that did
+  # not know their LDAP SSL certificates were not setup properly. For
+  # example, when using self-signed certificates, the ca_file path may
+  # need to be specified.
+  verify_certificates: true

  # Specifies the path to a file containing a PEM-format CA certificate,
  # e.g. if you need to use an internal CA.