Client side SSL related variables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Medium
|
Stuart McLaren |
Bug Description
A couple of queries on the use of SSL related variables (I'm not an expert on this
stuff).
1) Currently the glance client must supply both a key and a cert when
using https (via GLANCE_
2) In contrast the GLANCE_
In relation to (1): Is there a case for making these optional? Ie use them if they are
supplied, otherwise proceed without them. If glance is on a public interface I'm not sure
that we will require users to supply values for these -- eg this seems to be the case for Swift.
In relation to (2), both curl (curl -k/--insecure) and wget (wget --no-check-
require you to explicity state that you don't want to check the server's cert if you don't
supply a ca_file. Would it be worth changing to match that behaviour? ie When glance is
using https you must either supply a GLANCE_
as --no-check-
Changed in glance: | |
status: | New → Triaged |
Changed in glance: | |
importance: | Undecided → Medium |
milestone: | none → essex-4 |
assignee: | nobody → Stuart McLaren (stuart-mclaren) |
Changed in glance: | |
milestone: | essex-4 → essex-rc1 |
Changed in glance: | |
milestone: | essex-4 → 2012.1 |
Hi Stewart,
Regarding #1:
This possibly sounds like a bug. If the glance server is using SSL client authentication should be optional. If client auth is off on the server side then glance clients would not need to have keys and certs when trying to connect.
Regarding #2:
I'd buy adding an option like this 'glance --no-cert-check'. This would allow you to use glance client for encryption but ignore/skip verification of the glance servers certificate. This flag would certainly be handy for development but you probably wouldn't want it in production as you'd be at risk for man-in-the-middle.
While these issues are related it may be best to file two separate tickets on these?