From 822cd64c0718b46a065abbb8709f6b466d12e708 Mon Sep 17 00:00:00 2001
From: Thomas Leaman <thomas.leaman@hp.com>
Date: Tue, 18 Jun 2013 15:34:45 +0000
Subject: [PATCH] Fix SSL certificate CNAME checking

Currently, accessing a host via ip address will pass SSL verification;
the CNAME is not checked as intended as part of verify_callback.

'preverify_ok is True' will always return false (int/bool comparison).
preverify_ok will be 1 if preverification has passed.

Fixes bug 1192229

Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f
---
 glanceclient/common/http.py |  4 +++-
 tests/test_ssl.py           | 10 +++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py
index 3379a18f..cbcfbf7f 100644
--- a/glanceclient/common/http.py
+++ b/glanceclient/common/http.py
@@ -334,11 +334,13 @@ class VerifiedHTTPSConnection(HTTPSConnection):
 
     def verify_callback(self, connection, x509, errnum,
                         depth, preverify_ok):
+        # NOTE(leaman): preverify_ok may be a non-boolean type
+        preverify_ok = bool(preverify_ok)
         if x509.has_expired():
             msg = "SSL Certificate expired on '%s'" % x509.get_notAfter()
             raise exc.SSLCertificateError(msg)
 
-        if depth == 0 and preverify_ok is True:
+        if depth == 0 and preverify_ok:
             # We verify that the host matches against the last
             # certificate in the chain
             return self.host_matches_cert(self.host, x509)
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 60e1188b..cc41f89f 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -125,7 +125,7 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
         self.assertEqual(cert.get_subject().commonName, '0.0.0.0')
         try:
             conn = http.VerifiedHTTPSConnection('0.0.0.0', 0)
-            conn.verify_callback(None, cert, 0, 0, True)
+            conn.verify_callback(None, cert, 0, 0, 1)
         except Exception:
             self.fail('Unexpected exception.')
 
@@ -140,13 +140,13 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
         self.assertEqual(cert.get_subject().commonName, '0.0.0.0')
         try:
             conn = http.VerifiedHTTPSConnection('alt1.example.com', 0)
-            conn.verify_callback(None, cert, 0, 0, True)
+            conn.verify_callback(None, cert, 0, 0, 1)
         except Exception:
             self.fail('Unexpected exception.')
 
         try:
             conn = http.VerifiedHTTPSConnection('alt2.example.com', 0)
-            conn.verify_callback(None, cert, 0, 0, True)
+            conn.verify_callback(None, cert, 0, 0, 1)
         except Exception:
             self.fail('Unexpected exception.')
 
@@ -165,7 +165,7 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
             self.fail('Failed to init VerifiedHTTPSConnection.')
 
         self.assertRaises(exc.SSLCertificateError,
-                          conn.verify_callback, None, cert, 0, 0, True)
+                          conn.verify_callback, None, cert, 0, 0, 1)
 
     def test_ssl_expired_cert(self):
         """
@@ -183,7 +183,7 @@ class TestVerifiedHTTPSConnection(testtools.TestCase):
             self.fail('Failed to init VerifiedHTTPSConnection.')
 
         self.assertRaises(exc.SSLCertificateError,
-                          conn.verify_callback, None, cert, 0, 0, True)
+                          conn.verify_callback, None, cert, 0, 0, 1)
 
     def test_ssl_broken_key_file(self):
         """