TLS/SSL verification support

Registered by Dean Troyer on 2012-12-06

Current Python 2.7.x libraries do not perform proper certificate verification. Ensure that a) client uses system certificate store for verification; b) client performs proper server certificate verification; and c) client handles server certificates signed by intermediate CAs properly. It is assumed that the server side is correctly configured and may be a dedicated SSL/TLS endpoint.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Dean Troyer
Direction:
Needs approval
Assignee:
Dean Troyer
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

The Python 2.7.x ssl module doesn't perform any certificate verification. httplib and httplib2 are based on ssl and also do not perform certificate verification. This verification has been added in Python 3.2 but not backported to 2.7.

The requests module carries a backport of the Python 3.2 match_hostname() function and can replace for httplib2.

The solution is to swap httplib2 for requests in python-novaclient and enable it to verify server certificates. Ensure proper implementation of the command-line options to specify verification.

The (new) command-line options for verification are:
--os-cacert <ca-cert-file>
    Specify a CA bundle file to use in verifying a TLS (https) server certificate. Env var: OS_CACERT
--insecure
    Explicitly disable server certificate verification for TLS (https) requests.

Gerrit topic: https://review.openstack.org/#q,topic:bp/tls-verify,n,z

Addressed by: https://review.openstack.org/18257
    Use requests module for HTTP/HTTPS

(?)

Work Items

Work items:
swap requests in for httplib2: INPROGRESS
configure command-line and environment options: INPROGRESS

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.