ssl.rst 3.83 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
.. _clients-ssl:

SSL authentication
==================

Kamaki supports SSL authenticated connections since version 0.13.

In order to establish secure connections, the https connection module uses a CA
certificates file (see the discussion on
`Certificates <https://docs.python.org/2/library/ssl.html#ssl-certificates>`_
at docs.python.org, for more information).

The CA certificates file location depends on the platform (e.g.,
`/etc/ssl/certs/ca-certifications.crt` on Debian Linux), but developers can
also `provide a custom path <#set-ca-certificates-path>`_.

If the CA certificates path (a) is not set, (b) the file is invalid or (c) the
server fails to authenticate against it, a KamakiSSLError ensues. Developers
can `deactivate SSL errors <#ignore-ssl-errors>`_ and connect insecurely
instead.

Set CA certificates path
------------------------

To set the CA certificates path for all connections, use the following piece of
code before any kamaki clients are initialized.

.. code-block:: python

    from kamaki.clients.utils import https

    https.patch_with_certs(CA_CERTS_PATH)

Ignore SSL Errors
-----------------

.. code-block:: python

    from kamaki.clients.utils import https

    https.patch_to_raise_ssl_errors(False)

.. note:: Ignoring SSL errors works like this:
    The https connection module attempts a secure connection.
    If it fails, it falls back to an insecure connection.

System CA certificates
----------------------

The vast majority of systems is equipped with a CA certificates bundle. The
location of the file may be different across platforms.

Some copies of kamaki are packaged for specific operating systems, while others
are system-ignorant (i.e., installed through pypi, cloned from a GitHub
repository or installed from source code).

If a kamaki package is system-aware, the typical CA certifications path for the
system is set automatically when a kamaki client is initialized.

If the copy is system-ignorant, the caller has to
`provide a CA certificates path <#set-ca-certificates-path>`_.

To check if kamaki is equipped with a default path:

.. code-block:: python

    from kamaki import defaults

    assert defaults.CACERTS_DEFAULT_PATH, 'No default CA certificates'

CA certificates path from config
--------------------------------

The following concerns developers who have set a CA certificates path in kamaki
config. To check if kamaki config is aware of a CA path:

.. code-block:: console

    $ kamaki config get ca_certs

To extract the CA certificates path from config:

.. code-block:: python

    from kamaki.cli import config

    cnf = config.Config()
    ca_certs = cnf.get('global', 'ca_certs')

.. note:: If the configuration file does not contain a ca_certs field, config
    returns the value of CACERTS_DEFAULT_PATH from "kamaki.defaults".

Building packages with SSL support
----------------------------------

To build a kamaki package with SSL support, maintainers must explicitly set the
system provided CA certificates path of the target system to
CACERTS_DEFAULT_PATH in "kamaki.defaults" module.

The purpose of "kamaki.defaults" is to let package maintainers set constants,
the values of which are used at runtime.

In the following example, set the CA certificates path for a Debian system.

.. code-block:: console

    $ tar xvfz kamaki.tar.gz
    ...
    $ echo 'CACERTS_DEFAULT_PATH = /etc/ssl/certs/ca-certificates.crt' \
      >> kamaki/kamaki/defaults.py

.. warning:: editing the `kamaki/kamaki/defaults.py` file should be avoided.
    Maintainers should rather append their settings (in valid python code) at
    the end of the file.

The typical paths for CA certificates differ from system to system. Some of
them are listed bellow::

    *Debian / Ubuntu / Gentoo / Arch*
    `/etc/ssl/certs/ca-certificates.crt`

    *Fedora / RedHat*
    `/etc/pki/tls/certs/ca-bundle.crt`

    *OpenSuse*
    `/etc/ssl/ca-bundle.pem`