incubator-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Incubator Wiki] Update of "LibcloudSSL" by JerryChen
Date Mon, 03 Jan 2011 23:48:00 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Incubator Wiki" for change notification.

The "LibcloudSSL" page has been changed by JerryChen.
http://wiki.apache.org/incubator/LibcloudSSL

--------------------------------------------------

New page:
== Background ==

Python does not perform SSL certificate name verification out of the box.

To address this, we've introduced the '''libcloud.security''' module with tunable parameters.

Accordingly, the LibcloudHTTPSConnection objects load settings from this module and performs
hostname checks against the `commonName` and `subjectAltName` DNS entries.

== Requirements ==

At time of writing, this change pushes the requirement of the `ssl` PyPI ''package'' for 2.5+,
as 2.6+ contains the built-in `ssl` ''module''.

== Usage ==

=== Disabling SSL Certificate Check ===

Setting '''VERIFY_SSL_CERT''' to False is currently the default behavior of 0.4.1-dev.  This
will likely change in future versions.

{{{#!python
import libcloud.security
libcloud.security.VERIFY_SSL_CERT = False
}}}

When this value is false, it emits a !UserWarning:

{{{#!bash
libcloud/httplib_ssl.py:55: UserWarning: SSL certificate verification is disabled, this can
pose a security risk. For more information how to enable the SSL certificate verification,
please visit the libcloud documentation.
  warnings.warn(libcloud.security.VERIFY_SSL_DISABLED_MSG)
}}}

=== Enabling SSL Certificate Check ===

{{{#!python
import libcloud.security
libcloud.security.VERIFY_SSL_CERT = True

# optionally, add to CA_CERTS_PATH
libcloud.security.CA_CERTS_PATH.append("/path/to/your/cacerts.txt")
}}}

'''CA_CERTS_PATH''' contains common paths to CA bundle installations on the following platforms:
 * '''openssl''' on CentOS/Fedora
 * '''ca-certificates''' on Debian/Ubuntu/Arch/Gentoo
 * '''ca_root_nss''' on FreeBSD
 * '''curl-ca-bundle''' on Mac OS X

== Example Failure Scenarios ==

=== Missing Valid Certificate Authority ===

When a valid CA cannot be found in '''CA_CERTS_PATH''', one may see the following stacktrace:

{{{#!bash
libcloud/httplib_ssl.py:75: UserWarning: Warning: No CA Certificates were found in CA_CERTS_PATH.
Toggling VERIFY_SSL_CERT to False.
  warnings.warn(libcloud.security.CA_CERTS_UNAVAILABLE_MSG)
}}}

=== Certificate Hostname Mismatch Failure ===

When the hostname does not match the certificate, an SSLError exception is raised.

To manually test, one can edit the HOSTS file to point a Provider API hostname to another
SSL-enabled site, and the result should be:

{{{#!bash
  File "libcloud/httplib_ssl.py", line 99, in connect
    raise ssl.SSLError('Failed to verify hostname')
ssl.SSLError: Failed to verify hostname
}}}

== Miscellaneous ==

=== OS X: Batteries Not Included ===

The current issue with OS X root certificates is that they're stored in the Keychain format,
unlike the standard PEM format available on other *nix platforms.

=== Acquiring CA Certificates ===

If the above packages are unavailable to you, and you don't wish to roll your own, the makers
of cURL provides an excellent resource, generated from Mozilla: [[http://curl.haxx.se/docs/caextract.html]]

== Feedback ==

Any feedback, please send to the mailing list at libcloud@incubator.apache.org or the JIRA
at [[https://issues.apache.org/jira/browse/LIBCLOUD]].

---------------------------------------------------------------------
To unsubscribe, e-mail: cvs-unsubscribe@incubator.apache.org
For additional commands, e-mail: cvs-help@incubator.apache.org


Mime
View raw message