TLS: executors should install&trust self-signed cert from master

[eins78]

Should be easy to do and there is no reason to use --insecure when talking between two own machines.

[DrTom]

It might be possible but an annoyance nevertheless. The thing with this approach is that it makes a mess by combining two things: authentication and secure transport. Look where we got with this approach in the web, "ssl mafia". The web would be much more secure if every webserver would create new random encryption keys frequently and authentication would be handled via a completely independent technology for those who need it.

For Cider-CI: we already have authentication and it would be a bad idea to replace it. So I don't see what we would gain.

[eins78]

I am quite sure you misunderstood my request.
This is not at all about the authentication, just the secure transport.
(Maybe the word "trust" threw you off? executors should trust the host, not the other way around).

Also it also has nothing to do with the SSL mafia, quite the opposite: we don't need them because the master is it's own CA (which is already the case, but not leveraged).

[eins78]

P.S. Actually transport and auth are messed together right now!
The only way an executors validates that it is talking to the correct master is because it accepts the password ;)