cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Soheil Eizadi <>
Subject RE: Handling Self Signed Certs
Date Thu, 06 Jun 2013 21:33:15 GMT
What is missing is a facility to import a certificate into the store. If it was available you
could use it for self signed CERTS. Ideally it should be part of GUI to add devices.

I am implementing a similar HTTP Client. You are using DefaultHttpClient so it is based on
the newer Apache libraries. The ones I found in CloudStack were older Commons HttpClient which
was EOL.

In my case I planned to wrap the Client as you have for development and for production have
an API to import a certificate for SSL into the Certificate Store.

I would call to AuthScope(host, 443) to limit access to only the specific host and port.

From: [] on behalf of Will Stevens []
Sent: Thursday, June 06, 2013 1:08 PM
Subject: Re: Handling Self Signed Certs

Hey Kelven,
I am using the same https client libraries as elsewhere in Cloudstack (well
one of them because there is more than one version of http client libs
currently available in CS).

I am using this client:
import org.apache.http.impl.client.DefaultHttpClient;

I initialize it like this:
_httpclient = new DefaultHttpClient();

Then if self signed certs are allowed, I currently have a utility library
in my plugin which allows me to do this:
// Allows you to connect via SSL using unverified certs
_httpclient = HttpClientWrapper.wrapClient(_httpclient);

Is there a class that already exists in CloudStack which I can use to wrap
my client to enable unverified certs, or will I need to add one?  Should I
create a global setting such as 'Allow unverified SSL certs' which would be
checked by the code to determine if the http client should be wrapped?

Thx, Will

On Thu, Jun 6, 2013 at 2:43 PM, Kelven Yang <> wrote:

> Will,
> We have several other integrated components that have the similar
> situation, it makes sense to consolidate the HTTPS client we used across
> CloudStack and have a global configuration to deal with self-signed
> certificate for all in testing or POC.
> To help testing/POC process to be smooth, we may allow self-signed
> certificate by default(which is the current behave), security sensitive
> customers should disallow self-signed certificates in their production
> environment.
> Kelven
> On 6/6/13 9:08 AM, "Will Stevens" <> wrote:
> >Hey All,
> >I am building integration between CS and an external Palo Alto Firewall
> >device.  The API calls to the PA device are done over HTTPS.  In some
> >cases
> >(like testing or a POC), it makes sense to use a self signed cert for this
> >connection.
> >
> >Currently I have a little http client wrapper which allows the use of a
> >self signed cert.  Obviously, I do not want to use the wrapper when a real
> >cert is used.
> >
> >What I am thinking of doing is adding a checkbox on the 'Add Palo Alto
> >Device' configuration overlay with an option for 'Using a self signed
> >cert'.  If this checkbox is checked, then the http client wrapper is used
> >so the self signed cert will not throw errors, if it is not checked, the
> >the http client wrapper will not be used and errors will be thrown if the
> >cert is not valid.
> >
> >Is this a realistic approach to this problem?  Is this problem handled in
> >other parts of the system in a different way?
> >
> >Thanks,
> >
> >Will

View raw message