incubator-libcloud mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Chen <je...@apache.org>
Subject [libcloud] SSL Certificate Name Verification
Date Mon, 03 Jan 2011 03:29:52 GMT
Hi all,

The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL certificate name verification.

The code is based off of Toma┼ż Muraus's excellent contributions, but has a few changes:

1. Introduces the libcloud.security module:
  - VERIFY_SSL_CERT, set to a default of False in this version for backwards compatibility
  - CA_CERTS_PATH, a list of search paths for certificate authority files, currently populated
with common paths on *nix platforms
    - openssl from yum
    - ca-certificates from aptitude, pacman
    - curl-ca-bundle from MacPorts
2. Introduces LibcloudHTTPSConnection, a subclass of httplib.HTTPSConnection
  - reads libcloud.security.VERIFY_SSL_CERT
  - emits warning if VERIFY_SSL_CERT is set to False
  - emits warning if cannot find a certificate in CA_CERTS_PATH
  - checks both commonName, subjectAltName with wildcard support
3. Removes M2Crypto dependency

OS X support does NOT work out of the box without an external CA cert file, because root certificates
are held in Keychain format [2], rather than the standard PEM format.  That being said, one
of the paths in CA_CERTS_PATH includes the MacPort's curl-ca-bundle.

As always, feedback, bugs and comments are welcomed.

Cheers,
Jerry

[1] http://svn.apache.org/viewvc?view=revision&revision=1054518
[2] http://www.apple.com/certificateauthority/ca_program.html
Mime
View raw message