Uploaded image for project: 'Libcloud'
  1. Libcloud
  2. LIBCLOUD-65

SSL verification should be on (now available in base python).

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 0.4.1
    • None
    • None

    Description

      In drivers/base.py there is the following warning.

      1. WARNING: Python's built-in SSL does not do certificate validation. As
      2. such, one cannot be sure of the other end of the conversation with any
      3. sufficient authority. If you are in a position to be exploited (i.e., on
      4. an untrusted network), be cautious with SSL connections. This is an issue
      5. with upstream Python (see http://bugs.python.org/issue1589 for details)
      6. and not with libcloud.

      in the issue referenced (http://bugs.python.org/issue1589) it's said that the bug is now fixed and there is even a link to a backport of the module needed to do proper SSL enforcing.

      http://pypi.python.org/pypi/backports.ssl_match_hostname/

      The functionality to enforce secure SSL connections should now be enforced by default and a warning issued if the module isn't available.

      I'm not filing this as a bug because the lack of verification is documented and expected, but it could certainly be seen as a bit "surprising" so it would be a good idea to fix this.

      Attachments

        Activity

          People

            jerry@apache.org Jerry Chen
            delarue Michael De La Rue
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: