incubator-libcloud mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael De La Rue (JIRA)" <j...@apache.org>
Subject [libcloud] [jira] Created: (LIBCLOUD-65) SSL verification should be on (now available in base python).
Date Tue, 07 Dec 2010 08:00:13 GMT
SSL verification should be on (now available in base python).
-------------------------------------------------------------

                 Key: LIBCLOUD-65
                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-65
             Project: Libcloud
          Issue Type: New Feature
            Reporter: Michael De La Rue


In drivers/base.py there is the following warning.

# WARNING: Python's built-in SSL does not do certificate validation.  As
# such, one cannot be sure of the other end of the conversation with any
# sufficient authority.  If you are in a position to be exploited (i.e., on
# an untrusted network), be cautious with SSL connections.  This is an issue
# with upstream Python (see http://bugs.python.org/issue1589 for details)
# and not with libcloud.

in the issue referenced (http://bugs.python.org/issue1589) it's said that the bug is now fixed
and there is even a link to a backport of the module needed to do proper SSL enforcing.

http://pypi.python.org/pypi/backports.ssl_match_hostname/

The functionality to enforce secure SSL connections should now be enforced by default and
a warning issued if the module isn't available.  

I'm not filing this as a bug because the lack of verification is documented and expected,
but it could certainly be seen as a bit "surprising" so it would be a good idea to fix this.
 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message