security: CWE-295: TLS verification disabled — VC-53768

[torresashjiancyber]

Summary

Fixes CWE-295 (Improper Certificate Validation) by enabling TLS certificate verification by default in all shipped examples and adding runtime warnings when verification is explicitly disabled.

Finding

Severity: High (CVSS 6.0)
CWE: CWE-295 (Improper Certificate Validation) / CWE-1188 (Insecure Default)

Four shipped examples (examples/get_cert.py, examples/tpp/get_cert_tpp_token.py, examples/ssh_certificates/get_cert_ssh.py, examples/ssh_certificates/get_cert_ssh_service.py) set http_request_kwargs={'verify': False} as the active code path, instructing consumers to disable TLS certificate validation. The secure trust-bundle alternative was present only as a commented-out suggestion.

The SDK connection classes (TPPConnection, TPPTokenConnection, CloudConnection) forward http_request_kwargs verbatim to all requests calls without inspecting, warning, or rejecting verify=False. This includes calls that transmit Venafi credentials, session tokens, key passphrases, and private keys.

With verification disabled, an on-path attacker can present any certificate, capture transmitted secrets (username/password, bearer tokens, key passphrases), and substitute server-supplied cryptographic material.

Remediation

Examples (4 files):

• Changed active code path from verify=False to verify="/path-to/bundle.pem" (trust bundle)
• Moved verify=False to a comment explicitly labeled "Lab/testing only — DO NOT use in production"
• Consumers copying examples verbatim now get certificate validation by default

SDK connection classes (3 files):

• Added warning in TPPTokenConnection.__init__, TPPConnection.__init__, and CloudConnection.__init__
• Warning fires when http_request_kwargs.get('verify') is False
• Warning message: "TLS certificate verification is DISABLED; credentials and private keys will be transmitted over unverified connections. This configuration is only appropriate for isolated test environments."
• Warning uses existing logger instances; no new imports or signature changes
• Check uses is False to distinguish explicit boolean from CA-bundle path string or omitted key

Verification

• Syntax check: All 7 modified files compile without errors (python3 -m py_compile)
• Diff scope: 7 files changed, 25 insertions(+), 12 deletions(-)
• No behavioral change for secure configurations: Trust-bundle and default (no verify key) paths unchanged
• Detective control: SDK warning fires at connection instantiation when verify=False; does not prevent (consumers can still override), but alerts operators
• Preventive control: Examples now default to secure configuration; insecure path requires conscious uncomment

Addresses Jira ticket VC-53768.