[Libguestfs] [PATCH 2/3] v2v: -o rhv-upload: Only set SSL context for https connections.
Richard W.M. Jones
rjones at redhat.com
Wed Sep 19 21:58:37 UTC 2018
On Wed, Sep 19, 2018 at 08:26:19PM +0300, Nir Soffer wrote:
> On Wed, Sep 19, 2018 at 7:24 PM Richard W.M. Jones <rjones at redhat.com>
> wrote:
>
> > For real imageio servers the destination will always be https. This
> > change has no effect there.
> >
> > However when testing we want to use an http server for simplicity. As
> > there is no cafile in this case the call to
> > ssl.create_default_context().load_verify_locations(cafile=...) will fail.
> > ---
> > v2v/rhv-upload-plugin.py | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/v2v/rhv-upload-plugin.py b/v2v/rhv-upload-plugin.py
> > index 5cd6d5cab..6e35b5057 100644
> > --- a/v2v/rhv-upload-plugin.py
> > +++ b/v2v/rhv-upload-plugin.py
> > @@ -207,8 +207,11 @@ def open(readonly):
> > else:
> > destination_url = urlparse(transfer.proxy_url)
> >
> > - context = ssl.create_default_context()
> > - context.load_verify_locations(cafile = params['rhv_cafile'])
> >
>
> This line was never needed. In imageio client we use:
>
> context = ssl.create_default_context(
> purpose=ssl.Purpose.SERVER_AUTH, cafile=cafile)
>
> if not secure:
> context.check_hostname = False
> context.verify_mode = ssl.CERT_NONE
>
> See
> https://github.com/oVirt/ovirt-imageio/blob/356d224f1124deb3d63125b1f3b3e583839bcbd9/common/ovirt_imageio_common/client.py#L52
>
> So we can replace this with
>
> context = ssl.create_default_context(cafile = params.get('rhv_cafile'))
>
>
> > + if destination_url.scheme == "https":
> > + context = ssl.create_default_context()
> > + context.load_verify_locations(cafile = params['rhv_cafile'])
> > + else:
> > + context = None
> >
>
> This will create a default context inside HTTPSConnection.__init__, which
> will try to
> verify the server certificate and hostname and may fail if the certificates
> are not set
> up properly in the tests.
Yeah, actually I screwed up this commit completely. The second part
of the change was wrongly included in patch 3/3.
I'll rethink this patch completely in the next version.
Thanks,
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
More information about the Libguestfs
mailing list