Do not verify SSL certificates for local connections

1) modifies several pyVim.connect methods to silently disable SSL verification when connecting to localhost, and 2) adds a small patch to site.py to make it easier to test this configuration by not throwing away the one good SSL configuration. I use this patch below to test my change. Testing Done: $ python >>> import ssl >>> ssl._create_default_https_context = ssl._create_verified_context >>> from pyVim.connect import SmartConnect >>> s = SmartConnect() # default host='localhost', no error >>> s = SmartConnect(host='localhost') # no error >>> s = SmartConnect(host='127.0.0.1') # no error >>> s = SmartConnect(host='kevinc-esx.eng.vmware.com') Traceback (most recent call last): ... ssl.CertificateError: hostname 'kevinc-esx.eng.vmware.com' doesn't match 'localhost.localdomain'
2016-04-19 10:56:52 -07:00 · 2016-04-19 10:56:52 -07:00 · a010a38196
commit a010a38196
parent bab12c6061
1 changed files with 19 additions and 0 deletions
--- a/pyVim/connect.py
+++ b/pyVim/connect.py
@ -53,6 +53,19 @@ Global (thread-shared) ServiceInstance
@todo: Get rid of me?
 """

+
+def localSslFixup(host, sslContext):
+    """
+    Connections to 'localhost' do not need SSL verification as a certificate
+    will never match. The OS provides security by only allowing root to bind
+    to low-numbered ports.
+    """
+    if not sslContext and host in ['localhost', '127.0.0.1', '::1']:
+        import ssl
+        if hasattr(ssl, '_create_unverified_context'):
+            sslContext = ssl._create_unverified_context()
+    return sslContext
+
 class closing(object):
   """
   Helper class for using closable objects in a 'with' statement,
@ -235,6 +248,8 @@ def Connect(host='localhost', port=443, user='root', pwd='',
   except ValueError as ve:
      pass

+   sslContext = localSslFixup(host, sslContext)
+
   if namespace:
      assert(version is None)
      version = versionMap[namespace]
@ -690,6 +705,8 @@ def SmartStubAdapter(host='localhost', port=443, path='/sdk',
   if preferredApiVersions is None:
      preferredApiVersions = GetServiceVersions('vim25')

+   sslContext = localSslFixup(host, sslContext)
+
   supportedVersion = __FindSupportedVersion('https' if port > 0 else 'http',
                                             host,
                                             port,
@ -759,6 +776,8 @@ def SmartConnect(protocol='https', host='localhost', port=443, user='root', pwd=
   if preferredApiVersions is None:
      preferredApiVersions = GetServiceVersions('vim25')

+   sslContext = localSslFixup(host, sslContext)
+
   supportedVersion = __FindSupportedVersion(protocol,
                                             host,
                                             port,