** Description changed: - In order to support CA certificates in pywbem, we need pywbem 0.7.0-25 - or later. On Ubuntu 12.04 and 14.04, the pywbem version is 0.7.0-4. - I'm opening this bug to request that pywbem 0.7.0-25 or later to be - packaged with Ubuntu 12.04 and 14.04 to support CA certificates. + [SRU justification] + Modification required to support CA certificates + + [Impact] + This is required in order to mitigate a MITM openstack vulnerability addressed here : https://bugs.launchpad.net/cinder/+bug/1372635 + + [Fix] + Backport fix already present in the development version + + [Test Case] + Run the following script : + #!/usr/bin/python + import pywbem + import logging + + def _get_connection(self): + + try: + conn = None + conn = pywbem.WBEMConnection(self.url, (self.user, self.passwd), + default_namespace='root/emc', + x509=None, + verify_callback=None, + ca_certs=self.cert, + no_verification=False) + except TypeError: + print "CA certificates not supported by the pywbem library." + conn = pywbem.WBEMConnection(self.url, (self.user, self.passwd), + default_namespace='root/emc') + + if conn is None: + exception_message = (_("Cannot connect to ECOM server")) + raise exception.VolumeBackendAPIException(data=exception_message) + + return conn + + class Provider(object): + def __init__(self, url, user, password): + self.url = url + self.user = user + self.passwd = password + self.cert = None + + if __name__ == '__main__': + + remote = Provider('http://localhost', 'root', 'deadbeef') + _get_connection(remote) + + With the fixed version, nothing will be displayed. With the current version, the following will appear : + CA certificates not supported by the pywbem library. + + [Regression] + None expected, the modification is already present in Vivid + + [Original description of the problem] + In order to support CA certificates in pywbem, we need pywbem 0.7.0-25 or later. On Ubuntu 12.04 and 14.04, the pywbem version is 0.7.0-4. I'm opening this bug to request that pywbem 0.7.0-25 or later to be packaged with Ubuntu 12.04 and 14.04 to support CA certificates. The two new parameters "ca_cert" and "no_verification" are needed in the Connection API to support CA certificates: conn = pywbem.WBEMConnection(url, - creds, - default_namespace=namespace, - x509=None, - verify_callback=None, - ca_certs=’/foo/cert_file.crt’, - no_verification=False) + creds, + default_namespace=namespace, + x509=None, + verify_callback=None, + ca_certs=’/foo/cert_file.crt’, + no_verification=False)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1385469 Title: pywbem library on Ubuntu doesn't support CA certificate verification To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pywbem/+bug/1385469/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
