python-keystoneclient

TLS/SSL verification support

Registered by Dean Troyer

Current Python 2.x libraries do not perform proper certificate verification. Ensure that a) client uses system certificate store for verification; b) client performs proper server certificate verification; and c) client handles server certificates signed by intermediate CAs properly. It is assumed that the server side is correctly configured and may be a dedicated SSL/TLS endpoint.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Dean Troyer
Direction:
Needs approval
Assignee:
Dean Troyer
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Morgan Fainberg

Related branches

Sprints

Whiteboard

The Python 2.7.x ssl module doesn't perform any certificate verification. httplib and httplib2 are based on ssl and also do not perform certificate verification. This verification has been added in Python 3.2 but not backported to 2.7.

The requests module carries a backport of the Python 3.2 match_hostname() function and can replace for httplib2.

The solution is to swap httplib2 for requests in python-keystoneclient and enable it to verify server certificates. Ensure proper implementation of the command-line options to specify verification.

The command-line options for verification are:
--os-cacert <ca-cert-file>
    Specify a CA bundle file to use in verifying a TLS (https) server certificate. Env var: OS_CACERT
--insecure
    Explicitly disable server certificate verification for TLS (https) requests.

(?)

Work Items

Work items:
swap requests in for httplib2: INPROGRESS
configure command-line and environment options: INPROGRESS

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.