python-boto should verify SSL certificates and should use the systems certificate repository
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-boto (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Currently python-boto does not verify SSL certificates by default. This is unacceptable as this exposes users to man in the middle attacks. This can be worked around by the user (see below).
Unfortunately after enabling verification, python-boto uses it's own cacerts.txt file to verify certificates and does not use the system provided certificates. If a valid certificate is not included in the python-boto shipped cacerts.txt file and certificate validation is tuned on, then verification will fail. I presume that this behaviour exists to enable cross platform compatibility.
Python-boto should enable SSL certificate verification by default and use the system installed certificates (perhaps falling back to it's shipped certs file if necessary). The method to override verification should be included in the package documentation (or a README).
= Workaround to enable verification =
Create a ~/.boto file with the following:
[Boto]
https_
= System Information =
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
$ dpkg-query --show python-boto ca-certificates
ca-certificates 20120623
python-boto 2.3.0-1
Changed in python-boto (Ubuntu): | |
status: | New → Confirmed |
information type: | Public → Public Security |