[
https://issues.apache.org/jira/browse/LIBCLOUD-100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13064900#comment-13064900
]
Tomaz Muraus commented on LIBCLOUD-100:
---------------------------------------
Done - https://svn.apache.org/viewvc?view=revision&revision=1146493.
Now if no CA certs are found and VERIFY_SSL_CERT_STRICT is True (it's True by
default) a RuntimeError is thrown.
> libcloud should never disable HTTPS
> -----------------------------------
>
> Key: LIBCLOUD-100
> URL: https://issues.apache.org/jira/browse/LIBCLOUD-100
> Project: Libcloud
> Issue Type: Improvement
> Components: Core
> Affects Versions: 0.5.0
> Reporter: Chris Adams
> Labels: security
>
> As documented on http://wiki.apache.org/incubator/LibcloudSSL, libcloud will
> simply disable HTTPS checks when there are no valid CAs on the current system:
> "libcloud/httplib_ssl.py:75: UserWarning: Warning: No CA Certificates were
> found in CA_CERTS_PATH. Toggling VERIFY_SSL_CERT to False.
> warnings.warn(libcloud.security.CA_CERTS_UNAVAILABLE_MSG)"
> This is bad as it's easy to assume you're operating in a secure manner if you
> don't (or can't) see the warning message. If VERIFY_SSL_CERT is true,
> libcloud should simply toss a runtime error and force the user to provide a
> CA rather than making it easy to assume things are working as desired.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
