You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@libcloud.apache.org by "Tomaz Muraus (JIRA)" <ji...@apache.org> on 2013/01/30 07:51:12 UTC

[dev] [jira] [Resolved] (LIBCLOUD-283) Allow SSL_CERT_FILE env to point to location of CA certificates

     [ https://issues.apache.org/jira/browse/LIBCLOUD-283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tomaz Muraus resolved LIBCLOUD-283.
-----------------------------------

    Resolution: Fixed
      Assignee: Tomaz Muraus

I've merged my final patch into trunk - http://svn.apache.org/viewvc?view=revision&revision=1440289.

Erinn: Thanks for your initial patch and the proposal.

                
> Allow SSL_CERT_FILE env to point to location of CA certificates
> ---------------------------------------------------------------
>
>                 Key: LIBCLOUD-283
>                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-283
>             Project: Libcloud
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Erinn Looney-Triggs
>            Assignee: Tomaz Muraus
>            Priority: Minor
>              Labels: patch
>         Attachments: 0001-Allow-CA-location-to-be-overriden-with-SSL_CERT_FILE.patch, 0001-Allow-user-to-specify-custom-CA-certificate-to-use-f.patch, ssl_cert_file_with_exists_and_isfile_check_and_warnings_tests.patch, ssl_cert_file_with_exists_and_isfile_check.patch
>
>
> One of the problems that Linux distributions have is a lack of a centralized certificate store for CAs. Couple this with different locations for different distros (as well as different formats, NSS etc.) and it can get to be a pain pretty easily. 
> Currently libcloud has a small set of hard coded locations that are searched for a CA bundle. This patch adds the ability to set the SSL_CERT_FILE environment variable to point to a given location and that file will be used as the CA store. This increases the flexibility in terms of platforms that can use libcloud. 
> openssl, as well as ruby use the same variable to locate their CA files (if needed). 
> Security has been raised as a potential issue here. I can't speak with a great deal of authority on this. It appears to me that an attacker with the level of access required to do this would be able to subvert any program in any other number of ways as well. As usual flexibility will need to be weighed against security.
> github pull request here: https://github.com/apache/libcloud/pull/90/files
> -Erinn

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira