womax/python-glanceclient
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix SSL certificate CNAME checking

Browse Source 
Currently, accessing a host via ip address will pass SSL verification;
the CNAME is not checked as intended as part of verify_callback.

'preverify_ok is True' will always return false (int/bool comparison).
preverify_ok will be 1 if preverification has passed.

Fixes bug 1192229

Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f
This commit is contained in:
Thomas Leaman
2013-06-18 15:34:45 +00:00
parent 8427208015
commit 822cd64c07
2 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
glanceclient/common/http.py
+3 -1
View File
@@ -334,11 +334,13 @@ class VerifiedHTTPSConnection(HTTPSConnection):
def verify_callback(self, connection, x509, errnum,
depth, preverify_ok):
# NOTE(leaman): preverify_ok may be a non-boolean type
preverify_ok = bool(preverify_ok)
if x509.has_expired():
msg = "SSL Certificate expired on '%s'" % x509.get_notAfter()
raise exc.SSLCertificateError(msg)
if depth == 0 and preverify_ok is True:
if depth == 0 and preverify_ok:
# We verify that the host matches against the last
# certificate in the chain
return self.host_matches_cert(self.host, x509)