python-boto should verify SSL certificates and should use the systems certificate repository

Bug #1078444 reported by Andrew Glen-Young on 2012-11-13
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-boto (Ubuntu)

Bug Description

Currently python-boto does not verify SSL certificates by default. This is unacceptable as this exposes users to man in the middle attacks. This can be worked around by the user (see below).

Unfortunately after enabling verification, python-boto uses it's own cacerts.txt file to verify certificates and does not use the system provided certificates. If a valid certificate is not included in the python-boto shipped cacerts.txt file and certificate validation is tuned on, then verification will fail. I presume that this behaviour exists to enable cross platform compatibility.

Python-boto should enable SSL certificate verification by default and use the system installed certificates (perhaps falling back to it's shipped certs file if necessary). The method to override verification should be included in the package documentation (or a README).

= Workaround to enable verification =

Create a ~/.boto file with the following:

    https_validate_certificates = true

= System Information =

$ cat /etc/lsb-release

$ dpkg-query --show python-boto ca-certificates
ca-certificates 20120623
python-boto 2.3.0-1

Jorge Castro (jorge) on 2012-11-13
Changed in python-boto (Ubuntu):
status: New → Confirmed
Dave Walker (davewalker) on 2012-11-13
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers