incubator-libcloud mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Chen <>
Subject [libcloud] SSL Certificate Name Verification
Date Mon, 03 Jan 2011 03:29:52 GMT
Hi all,

The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL certificate name verification.

The code is based off of Toma┼ż Muraus's excellent contributions, but has a few changes:

1. Introduces the module:
  - VERIFY_SSL_CERT, set to a default of False in this version for backwards compatibility
  - CA_CERTS_PATH, a list of search paths for certificate authority files, currently populated
with common paths on *nix platforms
    - openssl from yum
    - ca-certificates from aptitude, pacman
    - curl-ca-bundle from MacPorts
2. Introduces LibcloudHTTPSConnection, a subclass of httplib.HTTPSConnection
  - reads
  - emits warning if VERIFY_SSL_CERT is set to False
  - emits warning if cannot find a certificate in CA_CERTS_PATH
  - checks both commonName, subjectAltName with wildcard support
3. Removes M2Crypto dependency

OS X support does NOT work out of the box without an external CA cert file, because root certificates
are held in Keychain format [2], rather than the standard PEM format.  That being said, one
of the paths in CA_CERTS_PATH includes the MacPort's curl-ca-bundle.

As always, feedback, bugs and comments are welcomed.


View raw message