Ubuntu
juju package

Must check certificates for validity

Bug #781949 reported by Gustavo Niemeyer
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyjuju
Fix Released
High
Clint Byrum
pyjuju florence
txAWS
Fix Released
Medium
Thomas Herve
txAWS 0.3
juju (Ubuntu)
Fix Released
High
Clint Byrum
Ubuntu ubuntu-12.04
Precise
Fix Released
High
Clint Byrum
Ubuntu ubuntu-12.04
txaws (Ubuntu)
Fix Released
High
Clint Byrum
Precise
Fix Released
High
Clint Byrum

Bug Description

txAWS is currently not checking the SSL certificates for validity with this logic:

            contextFactory = ssl.ClientContextFactory()
            reactor.connectSSL(host, port, self.client, contextFactory)

This will accept self-signed certificates, which can be easily forged.

Related branches

lp:~therve/txaws/ssl-verify
Free Ekanayaka (community): Approve
Diff: 502 lines (+372/-8)
11 files modified
txaws/client/base.py (+13/-6)
txaws/client/ssl.py (+100/-0)
txaws/client/tests/badprivate.ssl (+15/-0)
txaws/client/tests/badpublic.ssl (+23/-0)
txaws/client/tests/private.ssl (+15/-0)
txaws/client/tests/private_san.ssl (+16/-0)
txaws/client/tests/public.ssl (+22/-0)
txaws/client/tests/public_san.ssl (+12/-0)
txaws/client/tests/test_client.py (+151/-0)
txaws/service.py (+4/-1)
txaws/version.py (+1/-1)
lp:~clint-fewbar/pyjuju/add-ssl-cert-verification
Juju Engineering: Pending requested
Diff: 552 lines (+212/-32)
12 files modified
juju/environment/config.py (+5/-1)
juju/environment/tests/test_config.py (+12/-0)
juju/errors.py (+10/-0)
juju/providers/ec2/__init__.py (+25/-1)
juju/providers/ec2/files.py (+5/-2)
juju/providers/ec2/tests/common.py (+1/-1)
juju/providers/ec2/tests/test_files.py (+18/-1)
juju/providers/ec2/tests/test_launch.py (+3/-3)
juju/providers/ec2/tests/test_provider.py (+55/-0)
juju/providers/ec2/tests/test_utils.py (+53/-18)
juju/providers/ec2/utils.py (+17/-4)
juju/tests/test_errors.py (+8/-1)
lp:ubuntu/precise/txaws
lp:pyjuju
Thomas Herve (therve)
Changed in txaws:
importance: Undecided → Medium
assignee: nobody → Thomas Herve (therve)
milestone: none → 0.3
Thomas Herve (therve)
Changed in txaws:
status: New → In Progress
Thomas Herve (therve)
Changed in txaws:
status: In Progress → Fix Committed
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Once this lands in a release, juju should be updated to make use of it.

Changed in juju:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Clint Byrum (clint-fewbar)
Clint Byrum (clint-fewbar)
Changed in txaws (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Clint Byrum (clint-fewbar)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package txaws - 0.2-0ubuntu10

---------------
txaws (0.2-0ubuntu10) precise; urgency=low

  * d/patches/add-ssl-cert-verification.patch: Cherry pick patch from
    upstream to enable SSL certificate verification. (LP: #781949)
 -- Clint Byrum <email address hidden> Wed, 28 Mar 2012 02:39:34 -0700

Changed in txaws (Ubuntu Precise):
status: In Progress → Fix Released
Kapil Thangavelu (hazmat)
Changed in juju:
milestone: none → florence
Clint Byrum (clint-fewbar)
Changed in juju (Ubuntu Precise):
status: New → In Progress
assignee: nobody → Clint Byrum (clint-fewbar)
importance: Undecided → High
milestone: none → ubuntu-12.04
Clint Byrum (clint-fewbar)
Changed in juju:
status: In Progress → Fix Released
Duncan McGreggor (oubiwann)
Changed in txaws:
status: Fix Committed → Fix Released
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

The EC2 provider verifies all certs now if ssl-hostname-verification: true is in the environment configuration.

Changed in juju (Ubuntu Precise):
status: In Progress → Fix Released
Changed in juju (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.