diff options
author | Thomas Leaman <thomas.leaman@hp.com> | 2013-06-18 15:34:45 +0000 |
---|---|---|
committer | Thomas Leaman <thomas.leaman@hp.com> | 2013-07-15 08:50:17 +0000 |
commit | 822cd64c0718b46a065abbb8709f6b466d12e708 (patch) | |
tree | 4291a14f919cd73b3588ca4954fea8a57a99d279 | |
parent | 842720801550ff335122b2f2e4837a18aed25081 (diff) | |
download | python-glanceclient-822cd64c0718b46a065abbb8709f6b466d12e708.tar.gz |
Fix SSL certificate CNAME checking
Currently, accessing a host via ip address will pass SSL verification;
the CNAME is not checked as intended as part of verify_callback.
'preverify_ok is True' will always return false (int/bool comparison).
preverify_ok will be 1 if preverification has passed.
Fixes bug 1192229
Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f
-rw-r--r-- | glanceclient/common/http.py | 4 | ||||
-rw-r--r-- | tests/test_ssl.py | 10 |
2 files changed, 8 insertions, 6 deletions
diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py index 3379a18..cbcfbf7 100644 --- a/glanceclient/common/http.py +++ b/glanceclient/common/http.py @@ -334,11 +334,13 @@ class VerifiedHTTPSConnection(HTTPSConnection): def verify_callback(self, connection, x509, errnum, depth, preverify_ok): + # NOTE(leaman): preverify_ok may be a non-boolean type + preverify_ok = bool(preverify_ok) if x509.has_expired(): msg = "SSL Certificate expired on '%s'" % x509.get_notAfter() raise exc.SSLCertificateError(msg) - if depth == 0 and preverify_ok is True: + if depth == 0 and preverify_ok: # We verify that the host matches against the last # certificate in the chain return self.host_matches_cert(self.host, x509) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 60e1188..cc41f89 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -125,7 +125,7 @@ class TestVerifiedHTTPSConnection(testtools.TestCase): self.assertEqual(cert.get_subject().commonName, '0.0.0.0') try: conn = http.VerifiedHTTPSConnection('0.0.0.0', 0) - conn.verify_callback(None, cert, 0, 0, True) + conn.verify_callback(None, cert, 0, 0, 1) except Exception: self.fail('Unexpected exception.') @@ -140,13 +140,13 @@ class TestVerifiedHTTPSConnection(testtools.TestCase): self.assertEqual(cert.get_subject().commonName, '0.0.0.0') try: conn = http.VerifiedHTTPSConnection('alt1.example.com', 0) - conn.verify_callback(None, cert, 0, 0, True) + conn.verify_callback(None, cert, 0, 0, 1) except Exception: self.fail('Unexpected exception.') try: conn = http.VerifiedHTTPSConnection('alt2.example.com', 0) - conn.verify_callback(None, cert, 0, 0, True) + conn.verify_callback(None, cert, 0, 0, 1) except Exception: self.fail('Unexpected exception.') @@ -165,7 +165,7 @@ class TestVerifiedHTTPSConnection(testtools.TestCase): self.fail('Failed to init VerifiedHTTPSConnection.') self.assertRaises(exc.SSLCertificateError, - conn.verify_callback, None, cert, 0, 0, True) + conn.verify_callback, None, cert, 0, 0, 1) def test_ssl_expired_cert(self): """ @@ -183,7 +183,7 @@ class TestVerifiedHTTPSConnection(testtools.TestCase): self.fail('Failed to init VerifiedHTTPSConnection.') self.assertRaises(exc.SSLCertificateError, - conn.verify_callback, None, cert, 0, 0, True) + conn.verify_callback, None, cert, 0, 0, 1) def test_ssl_broken_key_file(self): """ |