It was reported that oVirt 3.1 did not properly validate SSL certificates of the server when the client would connect. This could permit man-in-the-middle attacks. In oVirt sdk, the python httplib.HTTPSConnection function is used to let the programmer specify the client's pair of certificates, but does not force the underlying SSL library to check the server certificate against the client keys. Because of this, the oVirt CLI tool does not check certificates upon connection. The new python SDK (ovirt-engine-sdk) and new python CLI (ovirt-engine-cli) were introduced in oVirt 3.1 [1] ; earlier versions are not affected by this flaw. This has been corrected in upstream git for the sdk [2] and the cli [3]. [1] http://wiki.ovirt.org/wiki/Release_Notes#Interfaces [2] http://gerrit.ovirt.org/#/c/7209/ [3] http://gerrit.ovirt.org/#/c/7249/
Created ovirt-engine tracking bugs for this issue Affects: fedora-all [bug 851674]
Fix for the mentioned issue available in: sdk: 3.1.0.6 cli: 3.1.0.8
The check of the host name has been added in upstream release 3.4.0.7 of the Python SDK. The CLI doesn't need any modification. Packages containing the fixes are available here: http://jhernand.fedorapeople.org/rpms/ovirt-engine-sdk-python/3.4.0.7-1 Updates for Fedora 19, Fedora 20, and EPEL 6 are available here: https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.fc19 https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.fc20 https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.el6