- Issue created by @fox_01
- Merge request !6Issue #3421447 by fox_01: Accept unsigned certificates of selfhosted websers β (Closed) created by fox_01
- Merge request !7Issue #3421447 by fox_01: Accept unsigned certificates of selfhosted websers β (Closed) created by fox_01
- πΊπΈUnited States cmlara
Before this goes too much further:
I'm on the fence about this. While I maintain other modules where options to ignore are available, I'm not sure we should allow this for Vault.
The connection from the module to the Vault server is inherently security critical.
An unsigned/unverified HTTPS connection is better than a HTTP connection however it is only moderately better in my opinion.
It would be much better to encourage admins to load the the Vault self-signed CA onto the PHP instances or even just to obtain an LE certificate.
If this does go through it should probably only be able to be enabled via config import, with a warning on the config page and the hook_requirements.
This would also need to be done under PSR options not Guzzle (assumption being Guzzle might be replaced by a different library)
- Status changed to Closed: won't fix
about 2 months ago 3:06am 2 November 2024 - πΊπΈUnited States cmlara
Given no arguments given as to why we should not require updating the site certificate store I'm going to close this as won't-fix.
Addtionaly as we use an injected client, this could be changed outside Vault by overriding the core
http_client
service (possibly by core itself as it provides the http_client service).