Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

driver fails on ssl-verify when run on a ssl intercepting network #250

Closed
mattstratton opened this issue May 11, 2016 · 1 comment
Closed

driver fails on ssl-verify when run on a ssl intercepting network #250

mattstratton opened this issue May 11, 2016 · 1 comment
Assignees
@mwrock

Comments

@mattstratton
Copy link

More and more commonly, users are wanting to leverage these tools inside of an enterprise network that has SSL Intercepting features enabled (see https://bto.bluecoat.com/webguides/proxysg/security_first_steps/Content/Solutions/SSL/ssl_solution.htm for one such example).

On a network with this enabled, attempts to verify the SSL certificates will fail, as the cert will not show as valid (as the cert is from the proxy device and not the actual destination).

Example output of running kitchen inside such a network:

-----> Starting Kitchen (v1.7.3)
D      winrm requested, loading winrm gem (["~> 1.6"])
D      winrm is loaded.
D      winrm-fs requested, loading winrm-fs gem (["~> 0.4.1"])
D      winrm-fs is loaded.
-----> Creating <default-windows-2012r2>...
D      ------Exception-------
D      Class: Kitchen::ActionFailed
D      Message: Failed to complete #create action: [SSL_connect returned=1 errno=0 state=error: certificate verify failed]
D      ---Nested Exception---
D      Class: Seahorse::Client::NetworkingError
D      Message: SSL_connect returned=1 errno=0 state=error: certificate verify failed
D      ------Backtrace-------

Ideally, there should be some type of setting in the driver to bypass ssl verification for such cases.
@mattstratton
Copy link
Author

Possibly helpful info - amazon-archives/aws-sdk-core-ruby#166 (comment)

mwrock added a commit that referenced this issue May 11, 2016
@mwrock
fixes #250 and provides the option to set ssl_peer_verify to false
dd2056e
@mwrock mwrock mentioned this issue May 11, 2016
Merged
cheeseplus pushed a commit that referenced this issue Feb 8, 2017
Merge pull request #251 from test-kitchen/ssl_verify
35889f0 
fixes #250 and provides the option to set ssl_peer_verify to false
kamaradclimber added a commit to criteo-forks/kitchen-ec2 that referenced this issue Jun 12, 2017
@kamaradclimber
Merge remote-tracking branch 'upstream/master' into criteo
40f801f 
* upstream/master:
  modernize winrm setup and fix for 2008r2
  Updated readme based on issue 300
  Correct the docs for image_id
  Fix 1 last chefstyle warning
  Require Ruby 2.2.2.
  Use chefstyle in Rake
  Remove rack constraint. Removes Ruby 2.1 support
  Move github_changelog_generator back to the gem spec
  Remove Rake constraint
  Switch to Chefstyle
  Test on Ruby 2.4.0
  Remove test-kitchen from the Gemfile as it’s in the spec
  Cut 1.3.2
  Don't try to set tags if there aren't any.
  Actually bumping version
  Release 1.3.1 hotfix
  reinstate default shared creds option
  Release 1.3.0
  In the client, only source creds from the shared file when necessary (test-kitchen#259)
  fixes test-kitchen#250 and provides the option to set ssl_peer_verify to false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mwrock mwrock

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cheeseplus @mwrock @mattstratton @tyler-ball