incubator-libcloud mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Chen <je...@apache.org>
Subject Re: [libcloud] SSL Certificate Name Verification
Date Mon, 03 Jan 2011 16:38:02 GMT

On Jan 3, 2011, at 10:23 AM, Tomaž Muraus wrote:

> Yeah, thanks for making the necessary changes and putting everything
> together :-)
> 
> I have just tested trunk with python 2.5 and there are multiple issues, but
> all of them can be resolved:
> 
> 1. like Paul has already said, ssl module is not available in python < 2.6,
> but like Jerry has suggested I have tested it and it works fine with ssl
> package from pypi (we should add ssl package as a dependency if python
> version is < 2.5)

One thing to note is I tested on Python 2.4 (CentOS 5.x) and some of the syntax isn't supported,
e.g. "blah if True else bar."

Trying to maintain 2.4 compatibility may be more trouble than it's worth, but if anyone on
the mailing list does rely on 2.4, please speak up.

Otherwise, having the ssl package as a dependency for 2.5 sounds good to me.

> 2. library does not work because I have used
> *socket.create_connection* convenience method
> which is not available in python < 2.6 (this can be easily fixed by changing
> it to* sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
> sock.connect(self.host, self.port)*)

Thanks for catching that. I need to find a 2.5 setup to play with.

> 3. there are probably some other minor issues, but I just did a quick test
> and I have probably missed something

When I find said 2.5 setup, I will definitely test it a bit more.

> I will try to post a patch which addresses this issue by the end of this
> week.

Awesome!

> Also, I think we can add "*/usr/local/share/certs/ca-root-nss.crt*" to the
> ca-cerrts search path, because this is the default path for the ca cert
> bundle which is available on FreeBSD in the ca_certs_nss port.

Done in r1054678, thanks for letting me know on IRC.

> P.S. It would be nice if we can get another buildslave with python 2.5.

Indeed, and I have inquired with Gav on the details on the buildbot setup, because for example
I want to clean up the pyflakes output, which erroneously complains about the redefinition
of 'json,' despite the fact that it's a perfectly valid try...except clause that handles ImportError.

> On Mon, Jan 3, 2011 at 3:03 PM, Jerry Chen <jerry@apache.org> wrote:
> 
>> 
>> On Jan 3, 2011, at 12:54 AM, Paul Querna wrote:
>> 
>>> On Sun, Jan 2, 2011 at 7:29 PM, Jerry Chen <jerry@apache.org> wrote:
>>>> Hi all,
>>>> 
>>>> The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL
>> certificate name verification.
>>>> 
>>>> The code is based off of Tomaž Muraus's excellent contributions, but has
>> a few changes:
>>>> 
>>>> 1. Introduces the libcloud.security module:
>>>> - VERIFY_SSL_CERT, set to a default of False in this version for
>> backwards compatibility
>>>> - CA_CERTS_PATH, a list of search paths for certificate authority
>> files, currently populated with common paths on *nix platforms
>>>>   - openssl from yum
>>>>   - ca-certificates from aptitude, pacman
>>>>   - curl-ca-bundle from MacPorts
>>>> 2. Introduces LibcloudHTTPSConnection, a subclass of
>> httplib.HTTPSConnection
>>>> - reads libcloud.security.VERIFY_SSL_CERT
>>>> - emits warning if VERIFY_SSL_CERT is set to False
>>>> - emits warning if cannot find a certificate in CA_CERTS_PATH
>>>> - checks both commonName, subjectAltName with wildcard support
>>>> 3. Removes M2Crypto dependency
>>>> 
>>>> OS X support does NOT work out of the box without an external CA cert
>> file, because root certificates are held in Keychain format [2], rather than
>> the standard PEM format.  That being said, one of the paths in CA_CERTS_PATH
>> includes the MacPort's curl-ca-bundle.
>>>> 
>>>> As always, feedback, bugs and comments are welcomed.
>>> 
>>> Thanks to you and Tomaz for figuring this out!
>>> 
>>> I don't really like that the default first experience on OS X will
>>> emit a warning.  I kinda wish we had a better way to handle that
>>> situation.  I don't know of a better option though, besides bundling a
>>> CA list, which would suck for many other reasons.
>> 
>> The only alternative I could think of is providing a different deprecation
>> warning, which would include instructions on exporting root certificates
>> straight from Keychain with `keytool` to a path like
>> /opt/libcloud/cacert.pem, and then already having this path in the
>> CA_CERTS_PATH setting.
>> 
>> Unfortunately, I was not able to figure out how to use `keytool` correctly
>> and do this in bulk.
>> 
>>> My other question was, is the SSL library now required to use
>>> libcloud?  My understand is that the ssl module was added in Python
>>> 2.6 -- meaning the minimal version for libcloud is now Python 2.6.
>> 
>> That is a very good point. However it looks like perhaps the cheeseshop ssl
>> package might be compatible with 2.3+, according to
>> http://pypi.python.org/pypi/ssl/.
>> 
>>> This personally doesn't pose a problem, but could be a pain for older
>>> RHEL, or even Ubuntu 8.04, which are still only Python 2.4 or 2.5
>>> (which until this change, my understanding was that libcloud worked on
>>> thsoe platforms).
>> 
>> I will have to test it out on an older 2.x; either way, the native ssl
>> module or a PyPi package (if viable) will be necessary for SSL verification.
>> 
>> Cheers,
>> Jerry
>> 
>>> Thoughts?
>>> 
>>> Thanks,
>>> 
>>> Paul
>> 
>> 


Mime
View raw message