Bug 848046

Summary: mandate site trustworthiness for https connections by default
Product: [Retired] oVirt Reporter: David Jaša <djasa>
Component: ovirt-engine-cliAssignee: Michael Pasternak <mpastern>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acathrow, bazulay, dyasny, iheim, ykaul
Target Milestone: ---Flags: mpastern: ovirt_requires_release_note?
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: 3.1.0.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-14 04:02:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jaša 2012-08-14 12:47:03 UTC 
Description of problem:
mandate site trustworthiness for https connections by default

Version-Release number of selected component (if applicable):
ovirt-engine-cli-3.1.0.7-1

How reproducible:
always

Steps to Reproduce:
1. run ovirt-shell
2. in ovirt-shell, type:
connect https://server_with_invalid_certificate.example.org/api user password
3.
  
Actual results:
ovirt-shell happily connects

Expected results:
ovirt-shell should refused to connect if not given root CA certificate unless instructed otherwise by an optional argument

Additional info:
implementation of this bug would make ovirt-shell behaviour on par with the rest of the world
Comment 1 David Jaša 2012-08-14 16:09:15 UTC 
discussion under bug 848049 revealed that httplib used by ovirt-engine-sdk does not support server certificate verification at all - see the b!6 phat warning here: [1] so the o-e-sdk will either need to modify it (similary to [2]) or use different approach.

In addition, -C and -P options should require each other because specifying just one doesn't make sense and -C option needs better description (in Python documentation as well...).

[1] http://docs.python.org/library/httplib.html#httplib.HTTPSConnection
[2] http://code.activestate.com/recipes/577548-https-httplib-client-connection-with-certificate-v/
Comment 2 Michael Pasternak 2012-08-16 11:22:10 UTC 
fixed in 3.1.0.6