openstack/deb-python-pyvmomi
Code Issues Proposed changes

Do not verify SSL certificates for local connections

Browse Source 
1) modifies several pyVim.connect methods to silently disable
SSL verification when connecting to localhost, and
2) adds a small patch to site.py to make it easier to test
this configuration by not throwing away the one good SSL
configuration. I use this patch below to test my change.

Testing Done:
$ python
>>> import ssl
>>> ssl._create_default_https_context = ssl._create_verified_context
>>> from pyVim.connect import SmartConnect
>>> s = SmartConnect() # default host='localhost', no error
>>> s = SmartConnect(host='localhost') # no error
>>> s = SmartConnect(host='127.0.0.1') # no error
>>> s = SmartConnect(host='kevinc-esx.eng.vmware.com')
Traceback (most recent call last):
...
ssl.CertificateError: hostname 'kevinc-esx.eng.vmware.com' doesn't match 'localhost.localdomain'
This commit is contained in:
tianhao he
2016-04-19 10:56:52 -07:00
parent bab12c6061
commit a010a38196
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
pyVim/connect.py
View File

@@ -53,6 +53,19 @@ Global (thread-shared) ServiceInstance
@todo: Get rid of me? @todo: Get rid of me?
""" """
def localSslFixup(host, sslContext):
"""
Connections to 'localhost' do not need SSL verification as a certificate
will never match. The OS provides security by only allowing root to bind
to low-numbered ports.
"""
if not sslContext and host in ['localhost', '127.0.0.1', '::1']:
import ssl
if hasattr(ssl, '_create_unverified_context'):
sslContext = ssl._create_unverified_context()
return sslContext
class closing(object): class closing(object):
""" """
Helper class for using closable objects in a 'with' statement, Helper class for using closable objects in a 'with' statement,
@@ -235,6 +248,8 @@ def Connect(host='localhost', port=443, user='root', pwd='',
except ValueError as ve: except ValueError as ve:
pass pass
sslContext = localSslFixup(host, sslContext)
if namespace: if namespace:
assert(version is None) assert(version is None)
version = versionMap[namespace] version = versionMap[namespace]
@@ -690,6 +705,8 @@ def SmartStubAdapter(host='localhost', port=443, path='/sdk',
if preferredApiVersions is None: if preferredApiVersions is None:
preferredApiVersions = GetServiceVersions('vim25') preferredApiVersions = GetServiceVersions('vim25')
sslContext = localSslFixup(host, sslContext)
supportedVersion = __FindSupportedVersion('https' if port > 0 else 'http', supportedVersion = __FindSupportedVersion('https' if port > 0 else 'http',
host, host,
port, port,
@@ -759,6 +776,8 @@ def SmartConnect(protocol='https', host='localhost', port=443, user='root', pwd=
if preferredApiVersions is None: if preferredApiVersions is None:
preferredApiVersions = GetServiceVersions('vim25') preferredApiVersions = GetServiceVersions('vim25')
sslContext = localSslFixup(host, sslContext)
supportedVersion = __FindSupportedVersion(protocol, supportedVersion = __FindSupportedVersion(protocol,
host, host,
port, port,