See https://review.openstack.org/#/c/168507 for the HTTP Store and https://review.openstack.org/168540 for the VMWare Store. -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1436082 Title: VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection Status in OpenStack Glance backend store-drivers library (glance_store): In Progress Bug description: VMWare store: https://github.com/openstack/glance_store/blob/ea88e503b617a7ac9a0ae7e537d6517e9992a104/glance_store/_drivers/vmware_datastore.py#L501 (_get_conn_class above uses simply httplib.HTTPSConnection). HTTP Store: https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/http.py#L179 This leaves both stores open to man-in-the-middle attacks while transferring image data. To manage notifications about this bug go to: https://bugs.launchpad.net/glance-store/+bug/1436082/+subscriptions