Hi all,
The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL certificate name
verification.
The code is based off of Tomaž Muraus's excellent contributions, but has a few
changes:
1. Introduces the libcloud.security module:
- VERIFY_SSL_CERT, set to a default of False in this version for backwards
compatibility
- CA_CERTS_PATH, a list of search paths for certificate authority files,
currently populated with common paths on *nix platforms
- openssl from yum
- ca-certificates from aptitude, pacman
- curl-ca-bundle from MacPorts
2. Introduces LibcloudHTTPSConnection, a subclass of httplib.HTTPSConnection
- reads libcloud.security.VERIFY_SSL_CERT
- emits warning if VERIFY_SSL_CERT is set to False
- emits warning if cannot find a certificate in CA_CERTS_PATH
- checks both commonName, subjectAltName with wildcard support
3. Removes M2Crypto dependency
OS X support does NOT work out of the box without an external CA cert file,
because root certificates are held in Keychain format [2], rather than the
standard PEM format. That being said, one of the paths in CA_CERTS_PATH
includes the MacPort's curl-ca-bundle.
As always, feedback, bugs and comments are welcomed.
Cheers,
Jerry
[1] http://svn.apache.org/viewvc?view=revision&revision=1054518
[2] http://www.apple.com/certificateauthority/ca_program.html
