[openstack-dev] [All] Use of self signed certs in endpoints
Cory Benfield
cory at lukasa.co.uk
Tue Nov 17 10:30:50 UTC 2015
> On 16 Nov 2015, at 11:54, Sean Dague <sean at dague.net> wrote:
> That sounds pretty reasonable to me. I definitely support the idea that
> we should be using system CA by default, even if that means overriding
> requests in our tools.
Setting REQUESTS_CA_BUNDLE is absolutely the way to go about this. In requests 2.9.0 we will also support the case that REQUESTS_CA_BUNDLE points to a directory of certificates, not a single certificate file, so this should cover all Linux distributions methods of distributing OpenSSL-compatible certificates.
If OpenStack wants to support using Windows and OS X built-in certificate stores, that's harder. This is because both systems do not use PEM-file based certificate distribution, which means OpenSSL can’t read them.
Cory
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151117/e917dc58/attachment.pgp>
More information about the OpenStack-dev
mailing list