Default LDAP config verify_certificates to true

author: Michael Kozono <mkozono@gmail.com> 2017-08-30 02:47:43 +0300
committer: Michael Kozono <mkozono@gmail.com> 2017-08-30 21:27:01 +0300
commit: dd3e7ff036401b4c3b754a24bfdf9248ae8a8fe5 (patch)
tree: 5968190fe4af68daeaedf1a24f657f06d9d466cc /config/initializers
parent: cbaa015cc9f55a387cdab85a6ba4b8c9c6ab447e (diff)
1 files changed, 5 insertions, 12 deletions
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index abaabad5d65..360b72cdea3 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -155,18 +155,11 @@ if Settings.ldap['enabled'] || Rails.env.test?
     server['encryption'] = 'simple_tls' if server['encryption'] == 'ssl'
     server['encryption'] = 'start_tls' if server['encryption'] == 'tls'
 
-    # Certificates are not verified for backwards compatibility.
-    # This default should be flipped to true in 9.5.
-    if server['verify_certificates'].nil?
-      server['verify_certificates'] = false
-
-      message = <<-MSG.strip_heredoc
-        LDAP SSL certificate verification is disabled for backwards-compatibility.
-        Please add the "verify_certificates" option to gitlab.yml for each LDAP
-        server. Certificate verification will be enabled by default in GitLab 9.5.
-      MSG
-      Rails.logger.warn(message)
-    end
+    # Certificate verification was added in 9.4.2, and defaulted to false for
+    # backwards-compatibility.
+    #
+    # Since GitLab 10.0, verify_certificates defaults to true for security.
+    server['verify_certificates'] = true if server['verify_certificates'].nil?
 
     Settings.ldap['servers'][key] = server
   end
author	Michael Kozono <mkozono@gmail.com>	2017-08-30 02:47:43 +0300
committer	Michael Kozono <mkozono@gmail.com>	2017-08-30 21:27:01 +0300
commit	dd3e7ff036401b4c3b754a24bfdf9248ae8a8fe5 (patch)
tree	5968190fe4af68daeaedf1a24f657f06d9d466cc /config/initializers
parent	cbaa015cc9f55a387cdab85a6ba4b8c9c6ab447e (diff)