On Jan 3, 2011, at 12:54 AM, Paul Querna wrote: > On Sun, Jan 2, 2011 at 7:29 PM, Jerry Chen <[email protected]> wrote: >> Hi all, >> >> The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL certificate >> name verification. >> >> The code is based off of Tomaž Muraus's excellent contributions, but has a >> few changes: >> >> 1. Introduces the libcloud.security module: >> - VERIFY_SSL_CERT, set to a default of False in this version for backwards >> compatibility >> - CA_CERTS_PATH, a list of search paths for certificate authority files, >> currently populated with common paths on *nix platforms >> - openssl from yum >> - ca-certificates from aptitude, pacman >> - curl-ca-bundle from MacPorts >> 2. Introduces LibcloudHTTPSConnection, a subclass of httplib.HTTPSConnection >> - reads libcloud.security.VERIFY_SSL_CERT >> - emits warning if VERIFY_SSL_CERT is set to False >> - emits warning if cannot find a certificate in CA_CERTS_PATH >> - checks both commonName, subjectAltName with wildcard support >> 3. Removes M2Crypto dependency >> >> OS X support does NOT work out of the box without an external CA cert file, >> because root certificates are held in Keychain format [2], rather than the >> standard PEM format. That being said, one of the paths in CA_CERTS_PATH >> includes the MacPort's curl-ca-bundle. >> >> As always, feedback, bugs and comments are welcomed. > > Thanks to you and Tomaz for figuring this out! > > I don't really like that the default first experience on OS X will > emit a warning. I kinda wish we had a better way to handle that > situation. I don't know of a better option though, besides bundling a > CA list, which would suck for many other reasons.
The only alternative I could think of is providing a different deprecation warning, which would include instructions on exporting root certificates straight from Keychain with `keytool` to a path like /opt/libcloud/cacert.pem, and then already having this path in the CA_CERTS_PATH setting. Unfortunately, I was not able to figure out how to use `keytool` correctly and do this in bulk. > My other question was, is the SSL library now required to use > libcloud? My understand is that the ssl module was added in Python > 2.6 -- meaning the minimal version for libcloud is now Python 2.6. That is a very good point. However it looks like perhaps the cheeseshop ssl package might be compatible with 2.3+, according to http://pypi.python.org/pypi/ssl/. > This personally doesn't pose a problem, but could be a pain for older > RHEL, or even Ubuntu 8.04, which are still only Python 2.4 or 2.5 > (which until this change, my understanding was that libcloud worked on > thsoe platforms). I will have to test it out on an older 2.x; either way, the native ssl module or a PyPi package (if viable) will be necessary for SSL verification. Cheers, Jerry > Thoughts? > > Thanks, > > Paul
