TLS/SSL verification support
Current Python 2.7.x libraries do not perform proper certificate verification. Ensure that a) client uses system certificate store for verification; b) client performs proper server certificate verification; and c) client handles server certificates signed by intermediate CAs properly. It is assumed that the server side is correctly configured and may be a dedicated SSL/TLS endpoint.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Dean Troyer
- Direction:
- Needs approval
- Assignee:
- Dean Troyer
- Definition:
- New
- Series goal:
- None
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Dean Troyer
- Completed by
- Dean Troyer
Related branches
Related bugs
Sprints
Whiteboard
The Python 2.7.x ssl module doesn't perform any certificate verification. httplib and httplib2 are based on ssl and also do not perform certificate verification. This verification has been added in Python 3.2 but not backported to 2.7.
The requests module carries a backport of the Python 3.2 match_hostname() function and can replace for httplib2.
The solution is to swap httplib2 for requests in python-novaclient and enable it to verify server certificates. Ensure proper implementation of the command-line options to specify verification.
The (new) command-line options for verification are:
--os-cacert <ca-cert-file>
Specify a CA bundle file to use in verifying a TLS (https) server certificate. Env var: OS_CACERT
--insecure
Explicitly disable server certificate verification for TLS (https) requests.
Gerrit topic: https:/
Addressed by: https:/
Use requests module for HTTP/HTTPS
Work Items
Work items:
swap requests in for httplib2: DONE
configure command-line and environment options: DONE