[Libguestfs] [PATCH 2/3] v2v: -o rhv-upload: Only set SSL context for https connections.

Nir Soffer nsoffer at redhat.com
Wed Sep 19 17:26:19 UTC 2018 

On Wed, Sep 19, 2018 at 7:24 PM Richard W.M. Jones <rjones at redhat.com>
wrote:

> For real imageio servers the destination will always be https.  This
> change has no effect there.
>
> However when testing we want to use an http server for simplicity.  As
> there is no cafile in this case the call to
> ssl.create_default_context().load_verify_locations(cafile=...) will fail.
> ---
>  v2v/rhv-upload-plugin.py | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/v2v/rhv-upload-plugin.py b/v2v/rhv-upload-plugin.py
> index 5cd6d5cab..6e35b5057 100644
> --- a/v2v/rhv-upload-plugin.py
> +++ b/v2v/rhv-upload-plugin.py
> @@ -207,8 +207,11 @@ def open(readonly):
>      else:
>          destination_url = urlparse(transfer.proxy_url)
>
> -    context = ssl.create_default_context()
> -    context.load_verify_locations(cafile = params['rhv_cafile'])
>

This line was never needed. In imageio client we use:

    context = ssl.create_default_context(
        purpose=ssl.Purpose.SERVER_AUTH, cafile=cafile)

    if not secure:
        context.check_hostname = False
        context.verify_mode = ssl.CERT_NONE

See
https://github.com/oVirt/ovirt-imageio/blob/356d224f1124deb3d63125b1f3b3e583839bcbd9/common/ovirt_imageio_common/client.py#L52

So we can replace this with

    context = ssl.create_default_context(cafile = params.get('rhv_cafile'))


> +    if destination_url.scheme == "https":
> +        context = ssl.create_default_context()
> +        context.load_verify_locations(cafile = params['rhv_cafile'])
> +    else:
> +        context = None
>

This will create a default context inside HTTPSConnection.__init__, which
will try to
verify the server certificate and hostname and may fail if the certificates
are not set
up properly in the tests.

Nir


>
>      http = HTTPSConnection(
>          destination_url.hostname,
> --
> 2.19.0.rc0
>
> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://www.redhat.com/mailman/listinfo/libguestfs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20180919/f22a12c8/attachment.htm>

More information about the Libguestfs mailing list