Return-Path: Delivered-To: apmail-incubator-libcloud-archive@minotaur.apache.org Received: (qmail 94150 invoked from network); 3 Jan 2011 16:38:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 3 Jan 2011 16:38:38 -0000 Received: (qmail 65049 invoked by uid 500); 3 Jan 2011 16:38:38 -0000 Delivered-To: apmail-incubator-libcloud-archive@incubator.apache.org Received: (qmail 64918 invoked by uid 500); 3 Jan 2011 16:38:37 -0000 Mailing-List: contact libcloud-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: libcloud@incubator.apache.org Delivered-To: mailing list libcloud@incubator.apache.org Received: (qmail 64910 invoked by uid 99); 3 Jan 2011 16:38:36 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jan 2011 16:38:36 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.216.175] (HELO mail-qy0-f175.google.com) (209.85.216.175) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jan 2011 16:38:28 +0000 Received: by qyk8 with SMTP id 8so14052401qyk.6 for ; Mon, 03 Jan 2011 08:38:07 -0800 (PST) Received: by 10.229.75.8 with SMTP id w8mr10324517qcj.94.1294072686856; Mon, 03 Jan 2011 08:38:06 -0800 (PST) Received: from nycl-mpearson.rockstar.t2.corp ([69.10.69.2]) by mx.google.com with ESMTPS id y17sm12111215qci.21.2011.01.03.08.38.04 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 03 Jan 2011 08:38:05 -0800 (PST) Sender: Jerry Chen Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Apple Message framework v1082) From: Jerry Chen In-Reply-To: Date: Mon, 3 Jan 2011 10:38:02 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <5F3935DF-D512-4ABF-8453-897B43F2F089@apache.org> To: libcloud@incubator.apache.org X-Mailer: Apple Mail (2.1082) X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [libcloud] SSL Certificate Name Verification On Jan 3, 2011, at 10:23 AM, Toma=9E Muraus wrote: > Yeah, thanks for making the necessary changes and putting everything > together :-) >=20 > I have just tested trunk with python 2.5 and there are multiple = issues, but > all of them can be resolved: >=20 > 1. like Paul has already said, ssl module is not available in python < = 2.6, > but like Jerry has suggested I have tested it and it works fine with = ssl > package from pypi (we should add ssl package as a dependency if python > version is < 2.5) One thing to note is I tested on Python 2.4 (CentOS 5.x) and some of the = syntax isn't supported, e.g. "blah if True else bar." Trying to maintain 2.4 compatibility may be more trouble than it's = worth, but if anyone on the mailing list does rely on 2.4, please speak = up. Otherwise, having the ssl package as a dependency for 2.5 sounds good to = me. > 2. library does not work because I have used > *socket.create_connection* convenience method > which is not available in python < 2.6 (this can be easily fixed by = changing > it to* sock =3D socket.socket(socket.AF_INET, socket.SOCK_STREAM); > sock.connect(self.host, self.port)*) Thanks for catching that. I need to find a 2.5 setup to play with. > 3. there are probably some other minor issues, but I just did a quick = test > and I have probably missed something When I find said 2.5 setup, I will definitely test it a bit more. > I will try to post a patch which addresses this issue by the end of = this > week. Awesome! > Also, I think we can add "*/usr/local/share/certs/ca-root-nss.crt*" to = the > ca-cerrts search path, because this is the default path for the ca = cert > bundle which is available on FreeBSD in the ca_certs_nss port. Done in r1054678, thanks for letting me know on IRC. > P.S. It would be nice if we can get another buildslave with python = 2.5. Indeed, and I have inquired with Gav on the details on the buildbot = setup, because for example I want to clean up the pyflakes output, which = erroneously complains about the redefinition of 'json,' despite the fact = that it's a perfectly valid try...except clause that handles = ImportError. > On Mon, Jan 3, 2011 at 3:03 PM, Jerry Chen wrote: >=20 >>=20 >> On Jan 3, 2011, at 12:54 AM, Paul Querna wrote: >>=20 >>> On Sun, Jan 2, 2011 at 7:29 PM, Jerry Chen wrote: >>>> Hi all, >>>>=20 >>>> The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL >> certificate name verification. >>>>=20 >>>> The code is based off of Toma=9E Muraus's excellent contributions, = but has >> a few changes: >>>>=20 >>>> 1. Introduces the libcloud.security module: >>>> - VERIFY_SSL_CERT, set to a default of False in this version for >> backwards compatibility >>>> - CA_CERTS_PATH, a list of search paths for certificate authority >> files, currently populated with common paths on *nix platforms >>>> - openssl from yum >>>> - ca-certificates from aptitude, pacman >>>> - curl-ca-bundle from MacPorts >>>> 2. Introduces LibcloudHTTPSConnection, a subclass of >> httplib.HTTPSConnection >>>> - reads libcloud.security.VERIFY_SSL_CERT >>>> - emits warning if VERIFY_SSL_CERT is set to False >>>> - emits warning if cannot find a certificate in CA_CERTS_PATH >>>> - checks both commonName, subjectAltName with wildcard support >>>> 3. Removes M2Crypto dependency >>>>=20 >>>> OS X support does NOT work out of the box without an external CA = cert >> file, because root certificates are held in Keychain format [2], = rather than >> the standard PEM format. That being said, one of the paths in = CA_CERTS_PATH >> includes the MacPort's curl-ca-bundle. >>>>=20 >>>> As always, feedback, bugs and comments are welcomed. >>>=20 >>> Thanks to you and Tomaz for figuring this out! >>>=20 >>> I don't really like that the default first experience on OS X will >>> emit a warning. I kinda wish we had a better way to handle that >>> situation. I don't know of a better option though, besides bundling = a >>> CA list, which would suck for many other reasons. >>=20 >> The only alternative I could think of is providing a different = deprecation >> warning, which would include instructions on exporting root = certificates >> straight from Keychain with `keytool` to a path like >> /opt/libcloud/cacert.pem, and then already having this path in the >> CA_CERTS_PATH setting. >>=20 >> Unfortunately, I was not able to figure out how to use `keytool` = correctly >> and do this in bulk. >>=20 >>> My other question was, is the SSL library now required to use >>> libcloud? My understand is that the ssl module was added in Python >>> 2.6 -- meaning the minimal version for libcloud is now Python 2.6. >>=20 >> That is a very good point. However it looks like perhaps the = cheeseshop ssl >> package might be compatible with 2.3+, according to >> http://pypi.python.org/pypi/ssl/. >>=20 >>> This personally doesn't pose a problem, but could be a pain for = older >>> RHEL, or even Ubuntu 8.04, which are still only Python 2.4 or 2.5 >>> (which until this change, my understanding was that libcloud worked = on >>> thsoe platforms). >>=20 >> I will have to test it out on an older 2.x; either way, the native = ssl >> module or a PyPi package (if viable) will be necessary for SSL = verification. >>=20 >> Cheers, >> Jerry >>=20 >>> Thoughts? >>>=20 >>> Thanks, >>>=20 >>> Paul >>=20 >>=20