[pve-devel] [PATCH manager] ui: storage: esxi: check 'skip certificate verification' by default
Dominik Csapak
d.csapak at proxmox.com
Fri Mar 22 08:29:08 CET 2024
On 3/21/24 18:07, Thomas Lamprecht wrote:
> On 20/03/2024 16:39, Dominik Csapak wrote:
>> needing one less step when adding the storage, assuming most esxi
>> certificates are self-signed.
>
> Well this makes it insecure by default though? Which is not something
> I'd just not mention in such a commit message...
imho it is very obvious what it does from the commit subject?
'skipping the certificate verification'
?
but ok, i can add a sentence more in the description..
>
> As that was the original reason I ticked it in the first place
> when pondering between security and convenience...
>
the thought here was that users that make the effort of giving
their esxi instances valid certificates, can simply uncheck the checkbox?
and i guess many of the users won't bother doing that for the
esxi instances? (e.g. vcenter does not make that distinction, all
it does is ask for hostname/ip + password, and cert management seems
to be non-trivial)
> If we do this I'd rather rename it to "Check Certificate" and have
> that unticked.
ok makes sense, i'd name it 'verify certificate' though to be in line
with our realm/metric server wording
also should this be only in the frontend, or do we want to reverse
the api/config option as well?
>
> Even better would be to be able to pass a finger-print, which was our
> first idea, but Wolfgang found that the esxi python wrapper is to
> enterprisy to hook into basic TLS validation, and he also rejected
> proxying..
More information about the pve-devel
mailing list