Comment 42 for bug 1188189

Random idea:
Maybe this is something which should be discussed/handled by the individual OpenStack distributors/vendors?
They could handle this inside their packages of cinder (or other components)? With pre-/post-scripts while upgrading the package?

All other automatic approaches were it disables SSL verification - or tolerates failing verification would let us end-up with the same security issue again - I guess.

I do not have a better idea either. But maybe we could use the Icehouse release and stress this fundamental change in Upgrade notes/instruction. And switch to SSL verification by default across all the identified OpenStack components.

Introducing some logic like: if the configured HTTPS URL holds an IP address instead of a DNS name, "very likely" SSL verification is not going to succeed so the code falls back to ssl_insecure=True .... or something like that - I would not recommend to do. Since it would silently hide the fact that the current setup is not as secure as one would think.

Not quite sure if just logging that SSL verification failed and continuing with ssl_insecure=True would "solve" it either in a correct fashion.

Maybe security- and release folks should decide to go once through this burden with the Icehouse release or not. And try to warn the admins ahead in Release Notes and Upgrade Instruction to verify if their setup would pass SSL verification - or not.