diff options
author | Stuart McLaren <stuart.mclaren@hp.com> | 2014-08-15 14:53:34 +0000 |
---|---|---|
committer | Stuart McLaren <stuart.mclaren@hp.com> | 2014-08-19 11:59:49 +0000 |
commit | d6498b602f4182f6dbd18fd63eaaaaf8b8ada039 (patch) | |
tree | 603bc539721879bfef2b3a1e2fd155cda8ac0096 | |
parent | c59ba203dda65b949c49aa480685bec1a344374c (diff) | |
download | python-glanceclient-d6498b602f4182f6dbd18fd63eaaaaf8b8ada039.tar.gz |
Ensure server's SSL cert is validated
A bug was introduced which meant that the server SSL certificate was
not being verified. Here we make sure that it is checked (unless
the --insecure flag is used).
Helps guard against man-in-the-middle attack.
Change-Id: I08f30bf3906b6580c871729311343fa8eefda91b
Closes-bug: #1357430
-rw-r--r-- | glanceclient/common/http.py | 12 | ||||
-rw-r--r-- | glanceclient/common/https.py | 3 |
2 files changed, 12 insertions, 3 deletions
diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py index 874f2f4..a078436 100644 --- a/glanceclient/common/http.py +++ b/glanceclient/common/http.py @@ -67,8 +67,16 @@ class HTTPClient(object): if not compression: self.session.mount("https://", https.HTTPSAdapter()) - self.session.verify = kwargs.get('cacert', - not kwargs.get('insecure', True)) + self.session.verify = (kwargs.get('cacert', None), + kwargs.get('insecure', False)) + + else: + if kwargs.get('insecure', False) is True: + self.session.verify = False + else: + if kwargs.get('cacert', None) is not '': + self.session.verify = kwargs.get('cacert', True) + self.session.cert = (kwargs.get('cert_file'), kwargs.get('key_file')) diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py index 93c6e6a..4f0e6f5 100644 --- a/glanceclient/common/https.py +++ b/glanceclient/common/https.py @@ -77,7 +77,8 @@ class HTTPSAdapter(adapters.HTTPAdapter): def cert_verify(self, conn, url, verify, cert): super(HTTPSAdapter, self).cert_verify(conn, url, verify, cert) - conn.insecure = not verify + conn.ca_certs = verify[0] + conn.insecure = verify[1] class HTTPSConnectionPool(connectionpool.HTTPSConnectionPool): |