Bug 848046 - mandate site trustworthiness for https connections by default
mandate site trustworthiness for https connections by default
Status: CLOSED CURRENTRELEASE
Product: oVirt
Classification: Community
Component: ovirt-engine-cli (Show other bugs)
unspecified
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Michael Pasternak
infra
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-14 08:47 EDT by David Jaša
Modified: 2014-01-12 19:37 EST (History)
5 users (show)

See Also:
Fixed In Version: 3.1.0.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-13 23:02:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mpastern: ovirt_requires_release_note?


Attachments (Terms of Use)

  None (edit)
Description David Jaša 2012-08-14 08:47:03 EDT
Description of problem:
mandate site trustworthiness for https connections by default

Version-Release number of selected component (if applicable):
ovirt-engine-cli-3.1.0.7-1

How reproducible:
always

Steps to Reproduce:
1. run ovirt-shell
2. in ovirt-shell, type:
connect https://server_with_invalid_certificate.example.org/api user password
3.
  
Actual results:
ovirt-shell happily connects

Expected results:
ovirt-shell should refused to connect if not given root CA certificate unless instructed otherwise by an optional argument

Additional info:
implementation of this bug would make ovirt-shell behaviour on par with the rest of the world
Comment 1 David Jaša 2012-08-14 12:09:15 EDT
discussion under bug 848049 revealed that httplib used by ovirt-engine-sdk does not support server certificate verification at all - see the b!6 phat warning here: [1] so the o-e-sdk will either need to modify it (similary to [2]) or use different approach.

In addition, -C and -P options should require each other because specifying just one doesn't make sense and -C option needs better description (in Python documentation as well...).

[1] http://docs.python.org/library/httplib.html#httplib.HTTPSConnection
[2] http://code.activestate.com/recipes/577548-https-httplib-client-connection-with-certificate-v/
Comment 2 Michael Pasternak 2012-08-16 07:22:10 EDT
fixed in 3.1.0.6

Note You need to log in before you can comment on or make changes to this bug.