Il giorno lun, 08/11/2010 alle 11.18 +0100, Tomaž Muraus ha scritto: > Hello, > > A user has already created an issue on Jira about this[1] some time ago and > because the root issue is in the Python module only a warning has been added > to the README. > > I still personally think that the better solution would to fix the problem > and subclass the HTTPSConnection class and manually check the hostname or > switch to the M2Crypto library like you have suggested. > > Only problem with switching to the M2Crypto library is that it adds an extra > dependency.
Sure. Hence, using M2Crypto if available and printing a warning otherwise is to my eyes the optimum. That's what I'm doing in the attached patch (from "svn diff" on svn trunk). Would you mind reviewing/testing it? Would you/some other developer suggest if there are other places (a quick grep found none) in libcloud where https connections are made? thanks a lot Pietro > > [1]: https://issues.apache.org/jira/browse/LIBCLOUD-55 > > On Mon, Nov 8, 2010 at 11:00 AM, Pietro Battiston > <[email protected]>wrote: > > > Hello, > > > > I' coping with bug > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463 > > and it seems the only upstream reference to it is > > > > http://mail-archives.apache.org/mod_mbox/incubator-libcloud/201009.mbox/%3c5860913.463891285776633273.javamail.j...@thor%3e > > > > Now, there is no doubt that it's indeed an annoying thing, and that many > > other > > projects just fixed it (waiting for python devs doing it). But I'm not > > in search of a flame: I just would like to fix it (as a Debian patch, if > > you are not interested). > > > > In a project of mine, the analogous fix took very few lines of code: > > > > > > http://code.google.com/p/galleryremote/source/diff?spec=svn6&r=6&format=side&path=/trunk/galleryremote/gallery.py > > > > and I would be happy to try to do the same on libcloud, though I > > perfectly know it will be slightly harder. > > > > But the main point is: I never used this library, neither have an > > account on any cloud provider, so I would totally appreciate if some dev > > or at least user could cooperate with me. Feel free to answer in mailing > > list of contact me privately. > > > > Thanks > > > > Pietro Battiston > > > >
Index: libcloud/base.py
===================================================================
--- libcloud/base.py (revisione 1031964)
+++ libcloud/base.py (copia locale)
@@ -17,6 +17,18 @@
Provides base classes for working with drivers
"""
import httplib, urllib
+
+CA_SYSTEM_DIR = '/etc/ssl/certs'
+
+try:
+ from M2Crypto import httpslib
+ from M2Crypto import SSL
+ M2CRYPTO = True
+ HTTPSConnection = httpslib.HTTPSConnection
+except ImportError:
+ M2CRYPTO = False
+ HTTPSConnection = httplib.HTTPSConnection
+
import libcloud
from libcloud.types import NodeState, DeploymentError
from libcloud.ssh import SSHClient
@@ -257,13 +269,13 @@
cmd.extend([pquote("https://%s:%d%s"; % (self.host, self.port, url))])
return " ".join(cmd)
-class LoggingHTTPSConnection(LoggingConnection, httplib.HTTPSConnection):
+class LoggingHTTPSConnection(LoggingConnection, HTTPSConnection):
"""
Utility Class for logging HTTPS connections
"""
def getresponse(self):
- r = httplib.HTTPSConnection.getresponse(self)
+ r = HTTPSConnection.getresponse(self)
if self.log is not None:
r, rv = self._log_response(r)
self.log.write(rv + "\n")
@@ -277,7 +289,7 @@
self.log.write(pre +
self._log_curl(method, url, body, headers) + "\n")
self.log.flush()
- return httplib.HTTPSConnection.request(self, method, url,
+ return HTTPSConnection.request(self, method, url,
body, headers)
class LoggingHTTPConnection(LoggingConnection, httplib.HTTPConnection):
@@ -316,7 +328,7 @@
# and not with libcloud.
#conn_classes = (httplib.LoggingHTTPConnection, LoggingHTTPSConnection)
- conn_classes = (httplib.HTTPConnection, httplib.HTTPSConnection)
+ conn_classes = (httplib.HTTPConnection, HTTPSConnection)
responseCls = Response
connection = None
@@ -354,8 +366,20 @@
"""
host = host or self.host
port = port or self.port[self.secure]
-
- connection = self.conn_classes[self.secure](host, port)
+ kwargs = {'host': host, 'port': port}
+ if self.secure:
+ if M2CRYPTO:
+ ssl_context = SSL.Context()
+ ssl_context.load_verify_info( capath=CA_SYSTEM_DIR )
+ ssl_context.set_verify( SSL.verify_peer |
+ SSL.verify_fail_if_no_peer_cert |
+ SSL.verify_client_once, 20 )
+ kwargs['ssl_context'] = ssl_context
+ else:
+ print "WARNING: a secured connection was requested, but the\
+ M2Crypto module is not available, so the autenticity of the server will NOT be\
+ verified."""
+ connection = self.conn_classes[self.secure](kwargs)
# You can uncoment this line, if you setup a reverse proxy server
# which proxies to your endpoint, and lets you easily capture
# connections in cleartext when you setup the proxy to do SSL
signature.asc
Description: This is a digitally signed message part
