libcloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject Re: [libcloud] SSL Certificate Name Verification
Date Mon, 03 Jan 2011 06:54:33 GMT
On Sun, Jan 2, 2011 at 7:29 PM, Jerry Chen <jerry@apache.org> wrote:
> Hi all,
>
> The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL certificate name verification.
>
> The code is based off of Tomaž Muraus's excellent contributions, but has a few changes:
>
> 1. Introduces the libcloud.security module:
>  - VERIFY_SSL_CERT, set to a default of False in this version for backwards compatibility
>  - CA_CERTS_PATH, a list of search paths for certificate authority files, currently
populated with common paths on *nix platforms
>    - openssl from yum
>    - ca-certificates from aptitude, pacman
>    - curl-ca-bundle from MacPorts
> 2. Introduces LibcloudHTTPSConnection, a subclass of httplib.HTTPSConnection
>  - reads libcloud.security.VERIFY_SSL_CERT
>  - emits warning if VERIFY_SSL_CERT is set to False
>  - emits warning if cannot find a certificate in CA_CERTS_PATH
>  - checks both commonName, subjectAltName with wildcard support
> 3. Removes M2Crypto dependency
>
> OS X support does NOT work out of the box without an external CA cert file, because root
certificates are held in Keychain format [2], rather than the standard PEM format.  That
being said, one of the paths in CA_CERTS_PATH includes the MacPort's curl-ca-bundle.
>
> As always, feedback, bugs and comments are welcomed.

Thanks to you and Tomaz for figuring this out!

I don't really like that the default first experience on OS X will
emit a warning.  I kinda wish we had a better way to handle that
situation.  I don't know of a better option though, besides bundling a
CA list, which would suck for many other reasons.

My other question was, is the SSL library now required to use
libcloud?  My understand is that the ssl module was added in Python
2.6 -- meaning the minimal version for libcloud is now Python 2.6.
This personally doesn't pose a problem, but could be a pain for older
RHEL, or even Ubuntu 8.04, which are still only Python 2.4 or 2.5
(which until this change, my understanding was that libcloud worked on
thsoe platforms).

Thoughts?

Thanks,

Paul

Mime
View raw message