Comment 7 for bug 1411063

So the middleware is still present with python-keystoneclient, so I guess it should also be fixed there.

Here is a first impact description draft:

Title: S3Token TLS cert verification option not honoured in paste configs
Reporter: Brant Knudson (IBM)
Products: keystonemiddleware
Affects: versions up to 1.5.0 (keystonemiddleware),
         versions up to 0.11.2 (python-keystoneclient)

Description:
Brant Knudson from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-keystoneclient). When the 'insecure' option
is set in a S3Token paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
s3_token middleware with TLS settings configured via a paste.ini file are
affected by this flaw.