Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOCKER_TLS_VERIFY automatically enabled even without any config #1169

Closed
sureshsankaran opened this issue Jul 29, 2019 · 3 comments
Closed

DOCKER_TLS_VERIFY automatically enabled even without any config #1169

sureshsankaran opened this issue Jul 29, 2019 · 3 comments
Labels
external

Comments

@sureshsankaran
Copy link

Test setup:
Docker extension version - Alpha version built from source code as it is on July 27, 2019.
Docker engine on remote machine - 18.03 version

I was trying to connect to remote docker engine by setting config parameters corresponding to
DOCKER_HOST and DOCKER_CERT_PATH. Didn't set any value for "DOCKER_TLS_VERIFY" associated setting. Now the extension throws the error saying invalid server certificate, mismatched common name in the cert. I understand that the IP address used to connect to the docker engine is different from the one present in ssl cert common name. But this is the expected behavior with DOCKER_TLS_VERIFY=1. But why i am getting this error without even setting VERIFY=1.

Expected behavior:
Extension should successfully connect to the remote docker engine without having to verify the server ssl cert.
@sureshsankaran sureshsankaran mentioned this issue Jul 29, 2019
Closed
@ejizba
Copy link
Contributor

ejizba commented Jul 31, 2019

We leverage docker-modem under the covers which has this logic:

if (process.env.DOCKER_TLS_VERIFY === '1' || opts.port === '2376') {
  opts.protocol = 'https';
} else {
  opts.protocol = 'http';
}

Are you using port 2376? Based on these docs:

It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon.

@sureshsankaran
Copy link
Author

sureshsankaran commented Jul 31, 2019
edited
Loading

Yes i am using port 2376 with https tls. Issue here is to support the client mode where we don't verify server certificate.

Like third bullet point of client modes in this snapshot.

Screen Shot 2019-07-26 at 8 25 18 PM

https://docs.docker.com/engine/security/https/

@dbreshears dbreshears added this to the Future milestone Oct 18, 2019
@bwateratmsft bwateratmsft mentioned this issue Oct 21, 2019
Open
@bwateratmsft
Copy link
Collaborator

As this is a limitation of docker-modem, I have copied this issue there: apocas/docker-modem#110

@bwateratmsft bwateratmsft removed their assignment Oct 21, 2019
@bwateratmsft bwateratmsft removed this from the Future milestone Nov 4, 2019
@vscodebot vscodebot bot locked and limited conversation to collaborators Dec 5, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
external
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dbreshears @sureshsankaran @ejizba @bwateratmsft