This appears to be fixed in boto at http://codereview.appspot.com/4425052/ . That went into trunk ~ April 18 of 2011, which was prior to boto 2.0 release (which is in 11.10).
I've done some remedial testing and verified that a ~/.boto file with the following reads the packaged boto file /usr/lib/python2.7/dist-packages/boto/cacerts/cacerts.txt (a symlink to /usr/share/pyshared/boto/cacerts/cacerts.txt). --- ~/.boto --- [Boto] https_validate_certificates = true I've also verified that if you do something like: [Boto] https_validate_certificates = true ca_certificates_file = mycacerts.txt and populate mycacerts.txt with some garbage, you will get something like: $ euca-describe-instances [Errno 1] _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ** Changed in: euca2ools (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to euca2ools in Ubuntu. https://bugs.launchpad.net/bugs/611194 Title: No secure way to protect against MiM attacks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/euca2ools/+bug/611194/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs