python-keystoneclient SSL CA certificate validation

you can also disable CA validation by

--- keystoneclient/client.py 2012-07-17 18:02:33.910494211 +0200
+++ keystoneclient/client.py.orig 2012-07-17 18:02:22.525503421 +0200
@@ -55,6 +55,7 @@

         # httplib2 overrides
         self.force_exception_to_status_code = True
+ self.disable_ssl_certificate_validation = True

     def authenticate(self):
         """ Authenticate against the keystone API.

Fix proposed to branch: master
Review: https://review.openstack.org/9928

Not validating SSL certificates is definitely not a solution. Then you can as well remove the whole SSL code, if it doesn't check anything. Furthermore, it is actually correct to rely on the certificate store provided by the distribution as it is reviewed by dedicatated security teams (speaking for openSUSE / SLES here but I'm sure thats no different for Ubuntu and RHEL / Fedora) that review and maintain the cert store.

Consider your customer, if you would ship a cert store and a cert gets revoked, you would have to submit a patch to github (to fix the issue for everyone) and then provide that somehow to the customer. OpenStack should only ship example certs so that you can test. But this is nothing you would want to use in production.

I understand your point of view, but this was described as a temporary solution to disable the validation of the CA certificate on the client side to enable SSL while a better solution is proposed.

My request was a parameter on the client side to summit our certificate chain, this parameter is only used in case that you have your own certification authority and it does nothing to the community.

That sounds reasonable, maybe I forgot to clarify that I disregarded the current solution by Liem. I think it still makes sense to add the parameters you proposed. On the other hand, I prefer https://review.openstack.org/#/c/9582/ instead of the 'temporary' solution to the error message ;-)

Reviewed: https://review.openstack.org/9582
Committed: http://github.com/openstack/python-keystoneclient/commit/dec8f77c9233f195999b8db9adbd4f026834fd42
Submitter: Jenkins
Branch: master

commit dec8f77c9233f195999b8db9adbd4f026834fd42
Author: Sascha Peilicke <email address hidden>
Date: Mon Jul 9 17:07:41 2012 +0200

    Add '--insecure' commandline argument

    Allows to ignore validation errors that typically occur with self-signed
    SSL certificates. Making this explicit is important as one would
    typically only use this in development or in-house deployments.

    This should also fix bug 1012591.

    Change-Id: I1210fafc9257648c902176fbcfae9d47e47fc557