[Libguestfs] [PATCH v2 2/3] v2v: -o rhv-upload: Only set SSL context for https connections.

Nir Soffer nsoffer at redhat.com
Tue Oct 9 12:15:40 UTC 2018 

On Thu, Sep 20, 2018 at 11:51 AM Richard W.M. Jones <rjones at redhat.com>
wrote:

> For real imageio servers the destination will always be https.  This
> change has no effect there.
>
> However when testing we want to use an http server for simplicity.  As
> there is no certificate or cafile in this case the call to create the
> context will fail.
>
> This also simplifies creation of the context object and recognizes the
> "insecure" flag for connecting to imageio.
>
> Thanks: Nir Soffer.
> ---
>  v2v/rhv-upload-plugin.py | 27 +++++++++++++++++++--------
>  1 file changed, 19 insertions(+), 8 deletions(-)
>
> diff --git a/v2v/rhv-upload-plugin.py b/v2v/rhv-upload-plugin.py
> index 5cd6d5cab..1a217b6dc 100644
> --- a/v2v/rhv-upload-plugin.py
> +++ b/v2v/rhv-upload-plugin.py
> @@ -207,14 +207,25 @@ def open(readonly):
>      else:
>          destination_url = urlparse(transfer.proxy_url)
>
> -    context = ssl.create_default_context()
> -    context.load_verify_locations(cafile = params['rhv_cafile'])
> -
> -    http = HTTPSConnection(
> -        destination_url.hostname,
> -        destination_url.port,
> -        context = context
> -    )
> +    if destination_url.scheme == "https":
> +        context = \
> +            ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH,
> +                                       cafile = cafile)
> +        if params['insecure']:
> +            context.check_hostname = False
> +            context.verify_mode = ssl.CERT_NONE
> +        http = HTTPSConnection(
> +            destination_url.hostname,
> +            destination_url.port,
> +            context = context
> +        )
> +    elif destination_url.scheme == "http":
> +        http = HTTPConnection(
> +            destination_url.hostname,
> +            destination_url.port,
> +        )
> +    else:
> +        raise RuntimeError("unknown URL scheme (%s)" %
> destination_url.scheme)
>

I would not change production code to support http. Instead the test server
should use HTTPS.

This way we may have working tests when the real code path fail during
runtime.

Nir


>
>      # The first request is to fetch the features of the server.
>
> --
> 2.19.0.rc0
>
> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://www.redhat.com/mailman/listinfo/libguestfs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20181009/1a2ecb94/attachment.htm>

More information about the Libguestfs mailing list