Set FF_RESOLVE_FULL_TLS_CHAIN to false by default
We added the FF_RESOLVE_FULL_TLS_CHAIN
feature flag in
!3699 (merged) to
address TLS verification issues on macOS since macOS stopped allowing
SHA-1 certificates
(#29373 (closed)).
However, this feature flag can probably be set to false
now that
most runners are using a fairly recent version of libcurl
. libcurl
v7.68 has since fixed the behavior to trust a certificate authority
that is not self-signed. As a result, the need to resolve the full
chain is no longer necessary. As long as there is a trusted
certificate authority in the chain, the TLS connection can proceed.
This would also help avoid needing to decode certificates in the first place (https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36318).
Relates to #36319 (closed)
Edited by Stan Hu