You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@libcloud.apache.org by Alex Gaynor <al...@gmail.com> on 2014/10/16 19:15:48 UTC
[dev] Moving away from doing our own TLS configuration
Hi all,
I was investigating how libcloud does it's TLS, in the wake of POODLE.
Right now we're pretty much doing the whole pipeline ourselves, and I think
this is a bit unfortunate: we're a cloud abstraction library, we really
shouldn't be in the business of configuring cryptographic protocols!
Long term, I'd like to outsource our HTTPS handling entirely to something
like requests. In the short term, I want to clean up various bits of this.
For starters, I've put together a patch which replaces our implementation
of TLS certificate verification with the stdlib one (using the backport
package on PyPI): https://github.com/apache/libcloud/pull/374
What do folks think about this?
Alex
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
Re: [dev] Moving away from doing our own TLS configuration
Posted by Tomaz Muraus <to...@apache.org>.
I'm also +1 for using backports.ssl_match_hostname module.
As far as using the requests library goes - I do think it's reasonable to
switch to requests in the future, but that change will be quite a big one.
We should also consider dropping support for Python 2.5 when switching to
requests or sooner (newer versions of requests don't include support for
Python 2.5 anymore).
On Fri, Oct 17, 2014 at 5:04 AM, John Carr <jo...@unrouted.co.uk> wrote:
> Hi,
>
> I think this is a great idea! In the long run i’d be a fan of using
> requests under the hood, but certainly makes sense to not reinvent the
> crypto wheel in the mean time.
>
> Cheers,
> John
>
> > On 16 Oct 2014, at 18:15, Alex Gaynor <al...@gmail.com> wrote:
> >
> > Hi all,
> >
> > I was investigating how libcloud does it's TLS, in the wake of POODLE.
> > Right now we're pretty much doing the whole pipeline ourselves, and I
> think
> > this is a bit unfortunate: we're a cloud abstraction library, we really
> > shouldn't be in the business of configuring cryptographic protocols!
> >
> > Long term, I'd like to outsource our HTTPS handling entirely to something
> > like requests. In the short term, I want to clean up various bits of
> this.
> >
> > For starters, I've put together a patch which replaces our implementation
> > of TLS certificate verification with the stdlib one (using the backport
> > package on PyPI): https://github.com/apache/libcloud/pull/374
> >
> > What do folks think about this?
> >
> > Alex
> >
> > --
> > "I disapprove of what you say, but I will defend to the death your right
> to
> > say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> > "The people's good is the highest law." -- Cicero
> > GPG Key fingerprint: 125F 5C67 DFE9 4084
>
>
Re: [dev] Moving away from doing our own TLS configuration
Posted by John Carr <jo...@unrouted.co.uk>.
Hi,
I think this is a great idea! In the long run i’d be a fan of using requests under the hood, but certainly makes sense to not reinvent the crypto wheel in the mean time.
Cheers,
John
> On 16 Oct 2014, at 18:15, Alex Gaynor <al...@gmail.com> wrote:
>
> Hi all,
>
> I was investigating how libcloud does it's TLS, in the wake of POODLE.
> Right now we're pretty much doing the whole pipeline ourselves, and I think
> this is a bit unfortunate: we're a cloud abstraction library, we really
> shouldn't be in the business of configuring cryptographic protocols!
>
> Long term, I'd like to outsource our HTTPS handling entirely to something
> like requests. In the short term, I want to clean up various bits of this.
>
> For starters, I've put together a patch which replaces our implementation
> of TLS certificate verification with the stdlib one (using the backport
> package on PyPI): https://github.com/apache/libcloud/pull/374
>
> What do folks think about this?
>
> Alex
>
> --
> "I disapprove of what you say, but I will defend to the death your right to
> say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: 125F 5C67 DFE9 4084