cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Stevens <>
Subject Re: Handling Self Signed Certs
Date Thu, 06 Jun 2013 20:08:38 GMT
Hey Kelven,
I am using the same https client libraries as elsewhere in Cloudstack (well
one of them because there is more than one version of http client libs
currently available in CS).

I am using this client:
import org.apache.http.impl.client.DefaultHttpClient;

I initialize it like this:
_httpclient = new DefaultHttpClient();

Then if self signed certs are allowed, I currently have a utility library
in my plugin which allows me to do this:
// Allows you to connect via SSL using unverified certs
_httpclient = HttpClientWrapper.wrapClient(_httpclient);

Is there a class that already exists in CloudStack which I can use to wrap
my client to enable unverified certs, or will I need to add one?  Should I
create a global setting such as 'Allow unverified SSL certs' which would be
checked by the code to determine if the http client should be wrapped?

Thx, Will

On Thu, Jun 6, 2013 at 2:43 PM, Kelven Yang <> wrote:

> Will,
> We have several other integrated components that have the similar
> situation, it makes sense to consolidate the HTTPS client we used across
> CloudStack and have a global configuration to deal with self-signed
> certificate for all in testing or POC.
> To help testing/POC process to be smooth, we may allow self-signed
> certificate by default(which is the current behave), security sensitive
> customers should disallow self-signed certificates in their production
> environment.
> Kelven
> On 6/6/13 9:08 AM, "Will Stevens" <> wrote:
> >Hey All,
> >I am building integration between CS and an external Palo Alto Firewall
> >device.  The API calls to the PA device are done over HTTPS.  In some
> >cases
> >(like testing or a POC), it makes sense to use a self signed cert for this
> >connection.
> >
> >Currently I have a little http client wrapper which allows the use of a
> >self signed cert.  Obviously, I do not want to use the wrapper when a real
> >cert is used.
> >
> >What I am thinking of doing is adding a checkbox on the 'Add Palo Alto
> >Device' configuration overlay with an option for 'Using a self signed
> >cert'.  If this checkbox is checked, then the http client wrapper is used
> >so the self signed cert will not throw errors, if it is not checked, the
> >the http client wrapper will not be used and errors will be thrown if the
> >cert is not valid.
> >
> >Is this a realistic approach to this problem?  Is this problem handled in
> >other parts of the system in a different way?
> >
> >Thanks,
> >
> >Will

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message