[GitHub] [libcloud] fazledyn-or commented on issue #1945: Bug Reported by iCR in file `libcloud/compute/drivers/vsphere.py`

Tue, 22 Aug 2023 23:25:39 -0700 


fazledyn-or commented on issue #1945:
URL: https://github.com/apache/libcloud/issues/1945#issuecomment-1689352111

   Hi @Kami, thanks for replying. I think we can apply the following fixes-
   
   # Case 1
   We can rewrite the `vsphere.py` file into something like this- we put option 
for `keyfile` and `certfile`. Then it's completely depends on the user. They 
may not use the certificate chain but the support is there in the library.
   
   ### [class 
VSphereNodeDriver](https://github.com/apache/libcloud/blob/trunk/libcloud/compute/drivers/vsphere.py#L80)
   ```py
   ...
   context = ssl.create_default_context(cafile=ca_cert)
   if certfile and keyfile:
       context.load_cert_chain(certfile=certfile, keyfile=keyfile)
   self.connection = connect.SmartConnect(
       host=host,
       port=port,
       user=username,
       pwd=password,
       sslContext=context,
   )
   ```
   
   ### [class 
VSphere_REST_NodeDriver](https://github.com/apache/libcloud/blob/trunk/libcloud/compute/drivers/vsphere.py#L1182)
   Since `VSphereNodeDriver` is used by this class too, we add support for 
certificate chain here too. The updated code would look something like this-
   
   ```py
   def __init__(self, key, secret=None, secure=True, host=None, port=443, 
ca_cert=None, certfile=None, keyfile=None):
       ...
       if ca_cert:
           self.connection.connection.ca_cert = ca_cert
       else:
           self.connection.connection.ca_cert = False
       if certfile and keyfile:
           self.connection.connection.certfile = certfile
           self.connection.connection.keyfile = keyfile
       else:
           self.connection.connection.certfile = False
           self.connection.connection.keyfile = False
   ```
   And then use it as below-
   ```py
   self.driver_soap = VSphereNodeDriver(
       ...
       ca_cert=self.connection.connection.ca_cert,
       certfile=self.connection.connection.certfile,
       keyfile=self.connection.connection.keyfile,
   )
   ```
   
   # Case 2
   Since I don't have the entire context about the whole project, I think 
simply replacing `PROTOCOL_SSLv23` with `PROTOCOL_TLS` will suffice. The fixed 
code would look something like this-
   ```py
   if "certificate verify failed" in error_message:
                   # bypass self signed certificates
                   try:
                       context = ssl.SSLContext(ssl.PROTOCOL_TLS)
                       context.verify_mode = ssl.CERT_NONE
   ```
   
   Please let me know what you think.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@libcloud.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to