Add proper SSL and IPv6 support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Microfiber |
Fix Released
|
High
|
Jason Gerard DeRose |
Bug Description
Although Microfiber can already make requests to HTTPS URLs, it doesn't verify the server cert, and it doesn't have all the flexibility we need.
So we're now going to create a proper SSLContext for HTTPS URLs and use CERT_REQUIRED for the verify_mode.
And I'm extending the *env* API to allow you to also:
* provide a custom ca_file and/or ca_path for verifying the server cert (otherwise the openssl default will be used)
* provide a client cert (and client key if the cert doesn't contain the key)
* turn off host-name verification (needed for dynamic stuff with Avahi on the localnetwork)
As far as IPv6, Microfiber already supports it perfectly (as far as I can tell). But we don't have unit tests or documentation for IPv6 cases, so I'm working on that.
There is a similar bug in UserCouch, which will need to land first:
https:/
I'm going back and forth between these two bugs right now in order to get the design of the *env* extension right. What I'm thinking of is an optional 'ssl' sub-dictionary something like this:
env = {
'url': 'https:/
'ssl': {
'ca_file': <filename>,
'ca_path': <dirname>,
'key_file': <filename>,
}
}
Everything in env['ssl'] is optional, although providing the 'key_file' doesn't make sense unless you also provide 'cert_file'.
Also, env['ssl'] only has any effect when env['url'] is an https:// URL.
Related branches
- James Raymond: Approve
-
Diff: 1541 lines (+962/-274)3 files modifieddebian/control (+1/-1)
microfiber.py (+146/-47)
test_microfiber.py (+815/-226)
Changed in microfiber: | |
status: | In Progress → Fix Committed |
Changed in microfiber: | |
status: | Fix Committed → Fix Released |