Skip to content

Fix KEEPER_SSL_CERT_FILE ignored for HTTP SSL verification#2172

Merged
amangalampalli-ks merged 1 commit into
fix/ssl-custom-ca-verifyfrom
fix/ssl-custom-ca-verify-int
Jun 26, 2026
Merged

Fix KEEPER_SSL_CERT_FILE ignored for HTTP SSL verification#2172
amangalampalli-ks merged 1 commit into
fix/ssl-custom-ca-verifyfrom
fix/ssl-custom-ca-verify-int

Conversation

@amangalampalli-ks

@amangalampalli-ks amangalampalli-ks commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fixes an issue where customers behind TLS-inspecting proxies could not use a custom certificate file for login and HTTP API calls.
  • Unifies how SSL verification is resolved across the CLI so all HTTP traffic respects the same settings.
  • Preserves existing behavior for disabling verification via environment variable and config.
  • Tunnel WebSocket connections are unchanged and still use the previous verification path.

Changes

Area Command to test What changed
Login keeper login Already used certificate_check; getter now reads KEEPER_SSL_CERT_FILE
Sync / vault keeper sync-down → keeper list Same as above
Router REST keeper pam gateway list Renamed to ssl_verify; getter fix
File upload Upload attachment to a record Renamed to ssl_verify only
Record v3 upload keeper upload-attachment Renamed to ssl_verify only
Import/export Import with attachments Renamed to ssl_verify only
SSO metadata keeper sso-cloud download-metadata Renamed to ssl_verify only
LastPass import keeper import lastpass ... Renamed to ssl_verify only
PAM KRouter HTTP keeper pam gateway list Was VERIFY_SSL → now params.ssl_verify
PAM gateway info keeper pam gateway info Was VERIFY_SSL → now params.ssl_verify
PAM launch HTTP keeper connect Was VERIFY_SSL → now params.ssl_verify
Tunnel HTTP Tunnel / port-forward connect Was VERIFY_SSL → now params.ssl_verify
PAM debug krouter keeper pam action debug krouter Was VERIFY_SSL → now params.ssl_verify
DAG (Commander) PAM rotation / graph sync Was VERIFY_SSL → now resolve_http_ssl_verify(params)
DAG (KSM) KSM-only DAG flows Was VERIFY_SSL → now resolve_http_ssl_verify()
PAM SaaS (GitHub) keeper pam-action-saas list Now also honors VERIFY_SSL=FALSE
Tunnel WebSocket Same tunnel connect Unchanged — still VERIFY_SSL bool only

VERIFY_SSL: Legacy on/off env var — FALSE disables SSL checking; no custom CA path.

params.ssl_verify: Cached HTTP SSL setting from KEEPER_SSL_CERT_FILE, config, or VERIFY_SSL=FALSE — returns False or a CA file path.

@amangalampalli-ks amangalampalli-ks self-assigned this Jun 26, 2026
@amangalampalli-ks
amangalampalli-ks marked this pull request as ready for review June 26, 2026 07:21
@amangalampalli-ks
amangalampalli-ks merged commit 8e3431c into fix/ssl-custom-ca-verify Jun 26, 2026
4 checks passed
@sk-keeper
sk-keeper deleted the fix/ssl-custom-ca-verify-int branch June 26, 2026 18:11
amangalampalli-ks added a commit that referenced this pull request Jun 29, 2026
craiglurey pushed a commit that referenced this pull request Jul 2, 2026
* Fix KEEPER_SSL_CERT_FILE ignored for HTTP SSL verification for REST, PAM, tunnel HTTP, and DAG (#2172)

* Add KEEPER_SSL_CERT_FILE test; Replace ssl_aware_get with requests.get(..., verify=params.ssl_verify)

* Revert vendored keeper_dag SSL changes; land in keeper-dag PR

GraphSync connection SSL wiring belongs in the keeper-dag repo and will
sync into Commander via copy_to_commander.py after both PRs merge.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
sk-keeper pushed a commit that referenced this pull request Jul 2, 2026
* Fix KEEPER_SSL_CERT_FILE ignored for HTTP SSL verification for REST, PAM, tunnel HTTP, and DAG (#2172)

* Add KEEPER_SSL_CERT_FILE test; Replace ssl_aware_get with requests.get(..., verify=params.ssl_verify)

* Revert vendored keeper_dag SSL changes; land in keeper-dag PR

GraphSync connection SSL wiring belongs in the keeper-dag repo and will
sync into Commander via copy_to_commander.py after both PRs merge.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
pvagare-ks pushed a commit that referenced this pull request Jul 16, 2026
* Fix KEEPER_SSL_CERT_FILE ignored for HTTP SSL verification for REST, PAM, tunnel HTTP, and DAG (#2172)

* Add KEEPER_SSL_CERT_FILE test; Replace ssl_aware_get with requests.get(..., verify=params.ssl_verify)

* Revert vendored keeper_dag SSL changes; land in keeper-dag PR

GraphSync connection SSL wiring belongs in the keeper-dag repo and will
sync into Commander via copy_to_commander.py after both PRs merge.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants