incubator-libcloud mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomaž Muraus <to...@cloudkick.com>
Subject Re: [libcloud] SSL Certificate Name Verification
Date Mon, 03 Jan 2011 16:23:27 GMT
Yeah, thanks for making the necessary changes and putting everything
together :-)

I have just tested trunk with python 2.5 and there are multiple issues, but
all of them can be resolved:

1. like Paul has already said, ssl module is not available in python < 2.6,
but like Jerry has suggested I have tested it and it works fine with ssl
package from pypi (we should add ssl package as a dependency if python
version is < 2.5)
2. library does not work because I have used
*socket.create_connection* convenience method
which is not available in python < 2.6 (this can be easily fixed by changing
it to* sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
sock.connect(self.host, self.port)*)
3. there are probably some other minor issues, but I just did a quick test
and I have probably missed something

I will try to post a patch which addresses this issue by the end of this
week.

Also, I think we can add "*/usr/local/share/certs/ca-root-nss.crt*" to the
ca-cerrts search path, because this is the default path for the ca cert
bundle which is available on FreeBSD in the ca_certs_nss port.

P.S. It would be nice if we can get another buildslave with python 2.5.

On Mon, Jan 3, 2011 at 3:03 PM, Jerry Chen <jerry@apache.org> wrote:

>
> On Jan 3, 2011, at 12:54 AM, Paul Querna wrote:
>
> > On Sun, Jan 2, 2011 at 7:29 PM, Jerry Chen <jerry@apache.org> wrote:
> >> Hi all,
> >>
> >> The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL
> certificate name verification.
> >>
> >> The code is based off of Tomaž Muraus's excellent contributions, but has
> a few changes:
> >>
> >> 1. Introduces the libcloud.security module:
> >>  - VERIFY_SSL_CERT, set to a default of False in this version for
> backwards compatibility
> >>  - CA_CERTS_PATH, a list of search paths for certificate authority
> files, currently populated with common paths on *nix platforms
> >>    - openssl from yum
> >>    - ca-certificates from aptitude, pacman
> >>    - curl-ca-bundle from MacPorts
> >> 2. Introduces LibcloudHTTPSConnection, a subclass of
> httplib.HTTPSConnection
> >>  - reads libcloud.security.VERIFY_SSL_CERT
> >>  - emits warning if VERIFY_SSL_CERT is set to False
> >>  - emits warning if cannot find a certificate in CA_CERTS_PATH
> >>  - checks both commonName, subjectAltName with wildcard support
> >> 3. Removes M2Crypto dependency
> >>
> >> OS X support does NOT work out of the box without an external CA cert
> file, because root certificates are held in Keychain format [2], rather than
> the standard PEM format.  That being said, one of the paths in CA_CERTS_PATH
> includes the MacPort's curl-ca-bundle.
> >>
> >> As always, feedback, bugs and comments are welcomed.
> >
> > Thanks to you and Tomaz for figuring this out!
> >
> > I don't really like that the default first experience on OS X will
> > emit a warning.  I kinda wish we had a better way to handle that
> > situation.  I don't know of a better option though, besides bundling a
> > CA list, which would suck for many other reasons.
>
> The only alternative I could think of is providing a different deprecation
> warning, which would include instructions on exporting root certificates
> straight from Keychain with `keytool` to a path like
> /opt/libcloud/cacert.pem, and then already having this path in the
> CA_CERTS_PATH setting.
>
> Unfortunately, I was not able to figure out how to use `keytool` correctly
> and do this in bulk.
>
> > My other question was, is the SSL library now required to use
> > libcloud?  My understand is that the ssl module was added in Python
> > 2.6 -- meaning the minimal version for libcloud is now Python 2.6.
>
> That is a very good point. However it looks like perhaps the cheeseshop ssl
> package might be compatible with 2.3+, according to
> http://pypi.python.org/pypi/ssl/.
>
> > This personally doesn't pose a problem, but could be a pain for older
> > RHEL, or even Ubuntu 8.04, which are still only Python 2.4 or 2.5
> > (which until this change, my understanding was that libcloud worked on
> > thsoe platforms).
>
> I will have to test it out on an older 2.x; either way, the native ssl
> module or a PyPi package (if viable) will be necessary for SSL verification.
>
> Cheers,
> Jerry
>
> > Thoughts?
> >
> > Thanks,
> >
> > Paul
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message