Vault hardening configuration VAULT_SKIP_VERIFY=true

Question

I'm using Hashicorp Vault to issue my certificates and it works fine,but now I need to harden the configuration. I tried to force the use of tls but I can still connect to my vault using VAULT_SKIP_VERIFY=true and access to my data in Vault.

I tried this conf :

vault-config.json

{
    "api_addr": "https://x.x.x.x:8200",
    "cluster_addr": "https://x.x.x.x:8201",
    "ui": true,
    "backend": {
        "file": {
            "path": "file"
        }
    },
    "log_requests_level": "trace",
    "log_level": "trace",
    "default_lease_ttl": "168h",
    "max_lease_ttl": "720h",
    "listener": {
        "tcp": {
            "address": "x.x.x.x:8200",
            "tls_cert_file": "/path/to/fullchain,
            "tls_key_file": "/path/to/server.key",
            "tls_min_version": "tls12",
            "tls_verify": true,
            "tls_disable": false
        }
    }
}

but i can still connect to vault using VAULT_SKIP_VERIFY=true and without even declaring the token.

Answer 1

The environment variable VAULT_SKIP_VERIFY is used by the client, not the server.

As with most things related to certificates, the client trusts the server using one of the following methods:

1. The Certificate is issued by a trusted issuer
2. The certificate is pinned (must match exactly)
3. Certificates are not even looked at

Setting VAULT_SKIP_VERIFY is how you tell the client that you don't care about the server's certificate. The variable is honored by vault command line client, and maybe some API wrappers.

Having a valid token or not is irrelevant. If you don't trust the server, your client would not even send it. If you do send it, the server has no way to tell which method you use to trust it.

+Your server configuration uses the flag tls_verify which does not exist.