Currently, accessing a host via ip address will pass SSL verification;
the CNAME is not checked as intended as part of verify_callback.
'preverify_ok is True' will always return false (int/bool comparison).
preverify_ok will be 1 if preverification has passed.
Fixes bug 1192229
Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f
Instead of globally ignoring pyflakes and
hacking warnings, only blacklist those that trigger
very frequently so far, in order to clean them
up in followup commits. Fix and start gating
on the rest already.
Change-Id: Ied7c7250061e3bf379e8286e8ce3b9e4af817faf
* Rename --ca-file to --os-cacert (--ca-file deprecated for
backward compatibility)
* Add cacert to keystoneclient initialization to verify the
keystone server certificate
This aligns glanceclient with keystoneclient for option naming
and the use of TLS for the keystone auth connection. It does not
change the use of TLS/SSL for the glance connection.
Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
When using https verify that the Common Name (CN) or
the Subject Alternative Name listed in the server's
certificate match the host we are connected to.
Addresses LP bug 1079692.
Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
Use pyOpenSSL for HTTPS connections.
This allows:
* Neater loading of system CA files
* Optional disabling of SSL compression
The performance gain from disabling SSL compression is significant
in cases where the image being uploaded/downloaded is in an already
compressed format (eg qcow2).
Related to bp ssl-connect-rework.
Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
Dominik Heidler