Ensure server's SSL cert is validated

A bug was introduced which meant that the server SSL certificate was
not being verified. Here we make sure that it is checked (unless
the --insecure flag is used).

Helps guard against man-in-the-middle attack.

Change-Id: I08f30bf3906b6580c871729311343fa8eefda91b
Closes-bug: #1357430

2 files changed, 12 insertions, 3 deletions

diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py
index 874f2f4..a078436 100644
--- a/glanceclient/common/http.py
+++ b/glanceclient/common/http.py
@@ -67,8 +67,16 @@ class HTTPClient(object):
             if not compression:
                 self.session.mount("https://", https.HTTPSAdapter())
 
-            self.session.verify = kwargs.get('cacert',
-                                             not kwargs.get('insecure', True))
+                self.session.verify = (kwargs.get('cacert', None),
+                                       kwargs.get('insecure', False))
+
+            else:
+                if kwargs.get('insecure', False) is True:
+                    self.session.verify = False
+                else:
+                    if kwargs.get('cacert', None) is not '':
+                        self.session.verify = kwargs.get('cacert', True)
+
             self.session.cert = (kwargs.get('cert_file'),
                                  kwargs.get('key_file'))
 
diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py
index 93c6e6a..4f0e6f5 100644
--- a/glanceclient/common/https.py
+++ b/glanceclient/common/https.py
@@ -77,7 +77,8 @@ class HTTPSAdapter(adapters.HTTPAdapter):
 
     def cert_verify(self, conn, url, verify, cert):
         super(HTTPSAdapter, self).cert_verify(conn, url, verify, cert)
-        conn.insecure = not verify
+        conn.ca_certs = verify[0]
+        conn.insecure = verify[1]
 
 
 class HTTPSConnectionPool(connectionpool.HTTPSConnectionPool):