Reviewed: https://review.openstack.org/168507 Committed: https://git.openstack.org/cgit/openstack/glance_store/commit/?id=2572ea1410d4cb02b65f5791681d4d8e54adc67c Submitter: Jenkins Branch: master commit 2572ea1410d4cb02b65f5791681d4d8e54adc67c Author: Ian Cordasco <ian.cordasco at rackspace.com> Date: Fri Mar 27 17:49:36 2015 -0500 Switch HTTP store to using requests Previously the HTTP store was using httplib and specifically unverified HTTPS connections to download data about images. By switching to using requests, we will get several benefits: 1. Certificate verification when using HTTPS 2. Connection pooling when following redirects 3. Help handling redirects Closes-bug: 1263067 Partial-bug: 1436082 Implements: blueprint http-store-on-requests Co-Authored-By: Sabari Kumar Murugesan <smurugesan at vmware.com> Change-Id: Ib114919c1e1361ba64fe9e8382e1a2c39dbb3271 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1436082 Title: VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection Status in glance_store: In Progress Status in OpenStack Security Notes: Fix Released Bug description: VMWare store: https://github.com/openstack/glance_store/blob/ea88e503b617a7ac9a0ae7e537d6517e9992a104/glance_store/_drivers/vmware_datastore.py#L501 (_get_conn_class above uses simply httplib.HTTPSConnection). HTTP Store: https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/http.py#L179 This leaves both stores open to man-in-the-middle attacks while transferring image data. To manage notifications about this bug go to: https://bugs.launchpad.net/glance-store/+bug/1436082/+subscriptions