TrustedFilter was using httplib which doesn't check for CAs.
Here the change is using Requests and verifies local CAs by default (or another
one if provided)
This effort is related to CVE 2013-2255.
SecurityImpact
ReleaseNote
This patch adds an option attestation_insecure_ssl in TrustedFilter which can be
used to verify CAs. The default value is set to True, disabling SSL certificate
verification. While this is the insecure option, it was selected for backward
compatibility reasons.
Closes-Bug: #1373993
(cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)
Reviewed: https:/ /review. openstack. org/127203 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=d7c8e936f37 3695580721f418e 3eea7a31c00ea1
Committed: https:/
Submitter: Jenkins
Branch: stable/icehouse
commit d7c8e936f373695 580721f418e3eea 7a31c00ea1
Author: Sylvain Bauza <email address hidden>
Date: Mon Sep 29 13:33:50 2014 +0200
Fix unsafe SSL connection on TrustedFilter
TrustedFilter was using httplib which doesn't check for CAs.
Here the change is using Requests and verifies local CAs by default (or another
one if provided)
This effort is related to CVE 2013-2255.
SecurityImpact
ReleaseNote insecure_ ssl in TrustedFilter which can be
This patch adds an option attestation_
used to verify CAs. The default value is set to True, disabling SSL certificate
verification. While this is the insecure option, it was selected for backward
compatibility reasons.
Closes-Bug: #1373993 bbfbcbbb5f21858 873b37685c)
(cherry picked from commit 30871e8702737ed
Conflicts: tests/scheduler /test_host_ filters. py
nova/
Change-Id: I0b8e6319a4cc39 876b1e396ef705f 0fc5def1e44