pywbem library on Ubuntu doesn't support CA certificate verification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pywbem (Ubuntu) |
Fix Released
|
Medium
|
Louis Bouchard | ||
Trusty |
Fix Released
|
Medium
|
Louis Bouchard | ||
Utopic |
Fix Released
|
Medium
|
Louis Bouchard |
Bug Description
[SRU justification]
Modification required to support CA certificates
[Impact]
This is required in order to mitigate a MITM openstack vulnerability addressed here : https:/
[Fix]
Backport fix already present in the development version
[Test Case]
Run the following script :
#!/usr/bin/python
import pywbem
import logging
def _get_connection
try:
conn = None
conn = pywbem.
except TypeError:
print "CA certificates not supported by the pywbem library."
conn = pywbem.
if conn is None:
raise exception.
return conn
class Provider(object):
def __init__(self, url, user, password):
if __name__ == '__main__':
remote = Provider('http://
With the fixed version, nothing will be displayed. With the current version, the following will appear :
CA certificates not supported by the pywbem library.
[Regression]
None expected, the modification is already present in Vivid
[Original description of the problem]
In order to support CA certificates in pywbem, we need pywbem 0.7.0-25 or later. On Ubuntu 12.04 and 14.04, the pywbem version is 0.7.0-4. I'm opening this bug to request that pywbem 0.7.0-25 or later to be packaged with Ubuntu 12.04 and 14.04 to support CA certificates.
The two new parameters "ca_cert" and "no_verification" are needed in the Connection API to support CA certificates:
conn = pywbem.
information type: | Private Security → Public |
affects: | ubuntu → pywbem (Ubuntu) |
Changed in pywbem (Ubuntu): | |
status: | New → Triaged |
assignee: | nobody → Louis Bouchard (louis-bouchard) |
tags: | added: cts |
Changed in pywbem (Ubuntu): | |
status: | Triaged → Confirmed |
Changed in pywbem (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in pywbem (Ubuntu Utopic): | |
status: | New → Confirmed |
Changed in pywbem (Ubuntu Trusty): | |
assignee: | nobody → Louis Bouchard (louis-bouchard) |
Changed in pywbem (Ubuntu Utopic): | |
assignee: | nobody → Louis Bouchard (louis-bouchard) |
Changed in pywbem (Ubuntu): | |
importance: | Undecided → Medium |
Changed in pywbem (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in pywbem (Ubuntu Utopic): | |
importance: | Undecided → Medium |
description: | updated |
Xing Yang,
A packaging of the complete 7.0.25 pywbem package is not possible as such. What I can propose is to retrofit the functionality that you are after, which is the verification of the CA Certificates. I believe that this is introduced by the following upstream commit :
http:// sourceforge. net/p/pywbem/ code/627/
fixed TOCTOU error when validating peer's certificate check-time- of-use. Up to now, pywbem made two
By TOCTOU it's meant time-of-
connections for one request (applies just to ssl). The first one made the
verification (without the hostname check) and the second one was used for
request. No verification was done for the latter, which could be abused.
Peer's certificate is now validated when connecting over ssl. To prevent
man-in-the-middle attack, verification of hostname is also added. Peer's
hostname must match the commonName of its certificate. Or it must be contained
in subjectAltName (list of aliases). M2Crypto package is used for that purpose.
Thanks to it both security enhancements could be implemented quiete easily.
Downside is a new dependency added to pywbem. Verification can be skipped if
no_verification is set to False.
Certificate trust store can now be specified by user. Some default paths, valid
for several distributions, were added.
This modification is part of 7.0.25
This would allow you to gain access to ca_certs= and no_verification= parameter.
Would that be acceptable to you ?
Kind regards,
...Louis