openstack/python-glanceclient
Code Issues Proposed changes

Ensure server's SSL cert is validated

Browse Source 
A bug was introduced which meant that the server SSL certificate was
not being verified. Here we make sure that it is checked (unless
the --insecure flag is used).

Helps guard against man-in-the-middle attack.

Change-Id: I08f30bf3906b6580c871729311343fa8eefda91b
Closes-bug: #1357430
This commit is contained in:
Stuart McLaren
2014-08-15 14:53:34 +00:00
parent c59ba203dd
commit d6498b602f
2 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
glanceclient/common/http.py
View File

@@ -67,8 +67,16 @@ class HTTPClient(object):
if not compression: if not compression:
self.session.mount("https://", https.HTTPSAdapter()) self.session.mount("https://", https.HTTPSAdapter())
self.session.verify = kwargs.get('cacert', self.session.verify = (kwargs.get('cacert', None),
not kwargs.get('insecure', True)) kwargs.get('insecure', False))
else:
if kwargs.get('insecure', False) is True:
self.session.verify = False
else:
if kwargs.get('cacert', None) is not '':
self.session.verify = kwargs.get('cacert', True)
self.session.cert = (kwargs.get('cert_file'), self.session.cert = (kwargs.get('cert_file'),
kwargs.get('key_file')) kwargs.get('key_file'))

3
glanceclient/common/https.py
View File

@@ -77,7 +77,8 @@ class HTTPSAdapter(adapters.HTTPAdapter):
def cert_verify(self, conn, url, verify, cert): def cert_verify(self, conn, url, verify, cert):
super(HTTPSAdapter, self).cert_verify(conn, url, verify, cert) super(HTTPSAdapter, self).cert_verify(conn, url, verify, cert)
conn.insecure = not verify conn.ca_certs = verify[0]
conn.insecure = verify[1]
class HTTPSConnectionPool(connectionpool.HTTPSConnectionPool): class HTTPSConnectionPool(connectionpool.HTTPSConnectionPool):