Project

General

Profile

Actions

Bug #18890

closed

[sdk] bring the python keep SDK in line with ARVADOS_API_HOST_INSECURE

Added by Ward Vandewege 11 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
03/17/2022
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

ARVADOS_API_HOST_INSECURE is interpreted in our codebase as "do not validate TLS certificate validity". This includes "do not check if the hostname matches the name on the certificate".

The Python SDK keep code is a bit of an outlier, because it only disables pycurl.SSL_VERIFYPEER when ARVADOS_API_HOST_INSECURE is set, which means the certificate validity check is disabled, but the hostname on the certificate still needs to match the hostname connected to.

libcurl has another flag to disable the hostname check, pycurl.SSL_VERIFYHOST (it's called CURLOPT_SSL_VERIFYHOST in https://curl.se/libcurl/c/curl_easy_setopt.html).

We should also disable pycurl.SSL_VERIFYHOST when ARVADOS_API_HOST_INSECURE is set, for consistency's sake.


Subtasks 1 (0 open1 closed)

Task #18891: review 18890-python-sdk-verifyhostResolvedWard Vandewege03/17/2022

Actions
Actions #1

Updated by Ward Vandewege 11 months ago

  • Status changed from New to In Progress
Actions #2

Updated by Ward Vandewege 11 months ago

  • Description updated (diff)
Actions #3

Updated by Ward Vandewege 11 months ago

Ready for review at aebc2c0d06422698979a822bd59b9354e4bd8487 on branch 18890-python-sdk-verifyhost

developer-run-tests: #2967

Actions #4

Updated by Lucas Di Pentima 11 months ago

This LGTM, thanks!

Actions #5

Updated by Ward Vandewege 11 months ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Resolved
Actions #6

Updated by Peter Amstutz 10 months ago

  • Release set to 46
Actions

Also available in: Atom PDF