Yeah, thanks for making the necessary changes and putting everything together :-)
I have just tested trunk with python 2.5 and there are multiple issues, but all of them can be resolved: 1. like Paul has already said, ssl module is not available in python < 2.6, but like Jerry has suggested I have tested it and it works fine with ssl package from pypi (we should add ssl package as a dependency if python version is < 2.5) 2. library does not work because I have used *socket.create_connection* convenience method which is not available in python < 2.6 (this can be easily fixed by changing it to* sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM); sock.connect(self.host, self.port)*) 3. there are probably some other minor issues, but I just did a quick test and I have probably missed something I will try to post a patch which addresses this issue by the end of this week. Also, I think we can add "*/usr/local/share/certs/ca-root-nss.crt*" to the ca-cerrts search path, because this is the default path for the ca cert bundle which is available on FreeBSD in the ca_certs_nss port. P.S. It would be nice if we can get another buildslave with python 2.5. On Mon, Jan 3, 2011 at 3:03 PM, Jerry Chen <[email protected]> wrote: > > On Jan 3, 2011, at 12:54 AM, Paul Querna wrote: > > > On Sun, Jan 2, 2011 at 7:29 PM, Jerry Chen <[email protected]> wrote: > >> Hi all, > >> > >> The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL > certificate name verification. > >> > >> The code is based off of Tomaž Muraus's excellent contributions, but has > a few changes: > >> > >> 1. Introduces the libcloud.security module: > >> - VERIFY_SSL_CERT, set to a default of False in this version for > backwards compatibility > >> - CA_CERTS_PATH, a list of search paths for certificate authority > files, currently populated with common paths on *nix platforms > >> - openssl from yum > >> - ca-certificates from aptitude, pacman > >> - curl-ca-bundle from MacPorts > >> 2. Introduces LibcloudHTTPSConnection, a subclass of > httplib.HTTPSConnection > >> - reads libcloud.security.VERIFY_SSL_CERT > >> - emits warning if VERIFY_SSL_CERT is set to False > >> - emits warning if cannot find a certificate in CA_CERTS_PATH > >> - checks both commonName, subjectAltName with wildcard support > >> 3. Removes M2Crypto dependency > >> > >> OS X support does NOT work out of the box without an external CA cert > file, because root certificates are held in Keychain format [2], rather than > the standard PEM format. That being said, one of the paths in CA_CERTS_PATH > includes the MacPort's curl-ca-bundle. > >> > >> As always, feedback, bugs and comments are welcomed. > > > > Thanks to you and Tomaz for figuring this out! > > > > I don't really like that the default first experience on OS X will > > emit a warning. I kinda wish we had a better way to handle that > > situation. I don't know of a better option though, besides bundling a > > CA list, which would suck for many other reasons. > > The only alternative I could think of is providing a different deprecation > warning, which would include instructions on exporting root certificates > straight from Keychain with `keytool` to a path like > /opt/libcloud/cacert.pem, and then already having this path in the > CA_CERTS_PATH setting. > > Unfortunately, I was not able to figure out how to use `keytool` correctly > and do this in bulk. > > > My other question was, is the SSL library now required to use > > libcloud? My understand is that the ssl module was added in Python > > 2.6 -- meaning the minimal version for libcloud is now Python 2.6. > > That is a very good point. However it looks like perhaps the cheeseshop ssl > package might be compatible with 2.3+, according to > http://pypi.python.org/pypi/ssl/. > > > This personally doesn't pose a problem, but could be a pain for older > > RHEL, or even Ubuntu 8.04, which are still only Python 2.4 or 2.5 > > (which until this change, my understanding was that libcloud worked on > > thsoe platforms). > > I will have to test it out on an older 2.x; either way, the native ssl > module or a PyPi package (if viable) will be necessary for SSL verification. > > Cheers, > Jerry > > > Thoughts? > > > > Thanks, > > > > Paul > >
