fazledyn-or opened a new issue, #1945: URL: https://github.com/apache/libcloud/issues/1945
## Summary This bug report is created by manually analyzing the source codes based on two fixes generated by Intelligent Code Repair tool (iCR). ## Detailed Information - Python: 3.8.10 - OS: Ubuntu 20.04 # Suggested Fix 1 In your project file [libcloud/compute/drivers/vsphere.py](https://github.com/apache/libcloud/blob/trunk/libcloud/compute/drivers/vsphere.py) on Line 111, there’s a code segment that goes- ```py context = ssl.create_default_context(cafile=ca_cert) self.connection = connect.SmartConnect( host=host, port=port, user=username, pwd=password, sslContext=context, ) ``` While triaging your repository, we noticed that the `connect.SmartConnect` method from `pyVim` library uses a method called `Connect` that calls a method called `__Login` which creates a `SoapStubAdapter` class object. A comment on that class on Line [1380 - 1384](https://github.com/vmware/pyvmomi/blob/master/pyVmomi/SoapAdapter.py#L1380) goes- ```py # @param sslContext SSL Context describing the various SSL options. It is # only supported in Python 2.7.9 or higher. # if sslContext is used, load cert & key to the context with API # sslContext = ssl.create_default_context(cafile=ca_cert_file) # sslContext.load_cert_chain(key_file, cert_file) ``` However, in your source file the Certificate Chain isn’t loaded into `sslContext` object. We suggest that you load the certificate chain into the `sslContext` object as mentioned in the comments. # Suggested Fix 2 In the same [file](https://github.com/apache/libcloud/blob/trunk/libcloud/compute/drivers/vsphere.py#L134) on Line 131 - 135, it goes- ```py if "certificate verify failed" in error_message: # bypass self signed certificates try: context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.verify_mode = ssl.CERT_NONE ``` Now, it says here that the following code is to bypass the self-signed certificates. In this case, the official [documentation for ssl](https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_SSLv23) says- > `ssl.PROTOCOL_SSLv23` > Alias for `PROTOCOL_TLS`. > Deprecated since version 3.6: Use `PROTOCOL_TLS` instead. To clear the confusion, it’s suggested that you use `PROTOCOL_TLS` while instantiating the `context` object. However, if the code is used for some other reason that bypassing self-signed certificates, please let us have a discussion. ### CLA Requirements: This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions. All contributed commits are already automatically signed off. The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information). - [Git Commit Sign Off documentation](https://developercertificate.org/) ### Sponsorship and Support This work is done by the security researchers from OpenRefactory and is supported by the [Open Source Security Foundation (OpenSSF)](https://openssf.org/): [Project Alpha-Omega](https://alpha-omega.dev/). Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security. The bug is found by running the iCR tool by [OpenRefactory, Inc.](https://openrefactory.com/) and then manually triaging the results. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@libcloud.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
