openstack/python-glanceclient
Code Issues Proposed changes

Use system CA certificate file

Browse Source 
When SSL is being used and the --ca-file option is
not specified use an available system CA file to
verify the server's certificate.

Change-Id: Id5c9fda6fd9bd05cde3c2a9160a6e72cef086a44
This commit is contained in:
Stuart McLaren
2012-08-10 18:32:07 +00:00
parent a214d983c2
commit 37caf870ac
2 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
glanceclient/common/http.py
View File

@@ -16,6 +16,7 @@
import copy
import httplib
import logging
import os
import socket
import StringIO
import urlparse
@@ -201,7 +202,10 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
cert_file=cert_file)
self.key_file = key_file
self.cert_file = cert_file
if ca_file is not None:
self.ca_file = ca_file
else:
self.ca_file = self.get_system_ca_file()
self.timeout = timeout
self.insecure = insecure
@@ -233,6 +237,20 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.sock = ssl.wrap_socket(sock, **kwargs)
@staticmethod
def get_system_ca_file():
""""Return path to system default CA file"""
# Standard CA file locations for Debian/Ubuntu, RedHat/Fedora,
# Suse, FreeBSD/OpenBSD
ca_path = ['/etc/ssl/certs/ca-certificates.crt',
'/etc/pki/tls/certs/ca-bundle.crt',
'/etc/ssl/ca-bundle.pem',
'/etc/ssl/cert.pem']
for ca in ca_path:
if os.path.exists(ca):
return ca
return None
class ResponseBodyIterator(object):
"""A class that acts as an iterator over an HTTP response."""

5
glanceclient/shell.py
View File

@@ -73,8 +73,9 @@ class OpenStackImagesShell(object):
'not necessary if your key is prepended to your cert file.')
parser.add_argument('--ca-file',
help='Path of CA SSL certificate(s) used to sign the remote '
'server\'s certificate.')
help='Path of CA SSL certificate(s) used to verify the remote '
'server\'s certificate. Without this option glance looks '
'for the default system CA certificates.')
parser.add_argument('--timeout',
default=600,