incubator-libcloud mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philip Schwartz (JIRA)" <>
Subject [libcloud] [jira] Commented: (LIBCLOUD-65) SSL verification should be on (now available in base python).
Date Tue, 07 Dec 2010 14:11:09 GMT


Philip Schwartz commented on LIBCLOUD-65:

I was actually looking at this yesterday with a goal of switching to the better functioning
pyOpenSSL instead of the stdlib ssl. Maybe this should be brought up for further discussion
as to which we want to keep.

> SSL verification should be on (now available in base python).
> -------------------------------------------------------------
>                 Key: LIBCLOUD-65
>                 URL:
>             Project: Libcloud
>          Issue Type: New Feature
>            Reporter: Michael De La Rue
> In drivers/ there is the following warning.
> # WARNING: Python's built-in SSL does not do certificate validation.  As
> # such, one cannot be sure of the other end of the conversation with any
> # sufficient authority.  If you are in a position to be exploited (i.e., on
> # an untrusted network), be cautious with SSL connections.  This is an issue
> # with upstream Python (see for details)
> # and not with libcloud.
> in the issue referenced ( it's said that the bug is
now fixed and there is even a link to a backport of the module needed to do proper SSL enforcing.
> The functionality to enforce secure SSL connections should now be enforced by default
and a warning issued if the module isn't available.  
> I'm not filing this as a bug because the lack of verification is documented and expected,
but it could certainly be seen as a bit "surprising" so it would be a good idea to fix this.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message