[openstack-dev] [OSSG] SSL Review (Clark, Robert Graham)
stuart.mclaren at hp.com
stuart.mclaren at hp.com
Tue Oct 30 16:48:19 UTC 2012
> Robert,
>
> Yeah, I've noticed similar issues with subjectAltNames in the past. For
> keystone, which uses python-httplib2, it currently only works with
> subjectAltNames if you have the CN repeated otherwise it only thinks the
> names in the subjectAltNames are the valid hostnames and doesn't even use
> the CN. I would call that a bug in httplib2. I also don't think httplib2
> currently works when IPs are used in the subjectAltName because it only
> looks at ones with 'DNS' tagged names.
>
> Separate but related, would it be worthwhile making all the clients
> standardize on a particular SSL http library? Some use python-httplib,
> python-httplib2, etc...
>
+1.
For the client side I'd lean towards the httplib + pyopenssl combination
which allows ssl compression to be disabled (for performance), allows
custom ssl verification, and doesn't have the httplib2 retry issues
mentioned here:
https://bugs.launchpad.net/python-glanceclient/+bug/1025265
(Though it may well have other warts I'm not aware of.)
More information about the OpenStack-dev
mailing list