[Libguestfs] [PATCH 2/3] v2v: -o rhv-upload: Only set SSL context for https connections.

Richard W.M. Jones rjones at redhat.com
Wed Sep 19 21:58:37 UTC 2018 

On Wed, Sep 19, 2018 at 08:26:19PM +0300, Nir Soffer wrote:
> On Wed, Sep 19, 2018 at 7:24 PM Richard W.M. Jones <rjones at redhat.com>
> wrote:
> 
> > For real imageio servers the destination will always be https.  This
> > change has no effect there.
> >
> > However when testing we want to use an http server for simplicity.  As
> > there is no cafile in this case the call to
> > ssl.create_default_context().load_verify_locations(cafile=...) will fail.
> > ---
> >  v2v/rhv-upload-plugin.py | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/v2v/rhv-upload-plugin.py b/v2v/rhv-upload-plugin.py
> > index 5cd6d5cab..6e35b5057 100644
> > --- a/v2v/rhv-upload-plugin.py
> > +++ b/v2v/rhv-upload-plugin.py
> > @@ -207,8 +207,11 @@ def open(readonly):
> >      else:
> >          destination_url = urlparse(transfer.proxy_url)
> >
> > -    context = ssl.create_default_context()
> > -    context.load_verify_locations(cafile = params['rhv_cafile'])
> >
> 
> This line was never needed. In imageio client we use:
> 
>     context = ssl.create_default_context(
>         purpose=ssl.Purpose.SERVER_AUTH, cafile=cafile)
> 
>     if not secure:
>         context.check_hostname = False
>         context.verify_mode = ssl.CERT_NONE
> 
> See
> https://github.com/oVirt/ovirt-imageio/blob/356d224f1124deb3d63125b1f3b3e583839bcbd9/common/ovirt_imageio_common/client.py#L52
> 
> So we can replace this with
> 
>     context = ssl.create_default_context(cafile = params.get('rhv_cafile'))
> 
> 
> > +    if destination_url.scheme == "https":
> > +        context = ssl.create_default_context()
> > +        context.load_verify_locations(cafile = params['rhv_cafile'])
> > +    else:
> > +        context = None
> >
> 
> This will create a default context inside HTTPSConnection.__init__, which
> will try to
> verify the server certificate and hostname and may fail if the certificates
> are not set
> up properly in the tests.

Yeah, actually I screwed up this commit completely.  The second part
of the change was wrongly included in patch 3/3.

I'll rethink this patch completely in the next version.

Thanks,

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

More information about the Libguestfs mailing list