Add an ops feature flag for cert loading

56933f2f · Robert May · d763b981 · 56933f2f
Commit 56933f2f authored Feb 23, 2021 by Robert May
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

lib/gitlab/x509/signature.rb lib/gitlab/x509/signature.rb +4 -2

No files found.
--- a/lib/gitlab/x509/signature.rb
+++ b/lib/gitlab/x509/signature.rb
@@ -53,8 +53,10 @@ module Gitlab
          store = OpenSSL::X509::Store.new
          store.set_default_paths

-          # Forcibly load the default cert file because the OpenSSL library seemingly ignores it
-          store.add_file(OpenSSL::X509::DEFAULT_CERT_FILE) if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
+          if Feature.enabled?(:x509_forced_cert_loading, type: :ops)
+            # Forcibly load the default cert file because the OpenSSL library seemingly ignores it
+            store.add_file(OpenSSL::X509::DEFAULT_CERT_FILE) if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
+          end

          # valid_signing_time? checks the time attributes already
          # this flag is required, otherwise expired certificates would become