VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection

The tests are failing right now because of mocks relying on httplib for testing, but this should be functionally equivalent to the current behaviour.

This patch has some bugs. I'm working on a follow-up.

Attached is the latest update + test fixes. I'll tackle fixing the VMWare store soon too.

I just added the OpenStack VMT because it appears they weren't already subscribed to changes here.

Is this client-facing, or another case of bug 1188189?

Looks like it's another case of bug 18188189.

In that case, there's no need to keep the bug marked private, and it can just be fixed publicly through the normal code review process. The VMT isn't issuing any advisories for server-to-server or server-to-backend communication security hardening measures until the situation across those projects improves to the point where we actually think we've adequately secured this traffic against malicious actors on internal management networks by default.

See https://review.openstack.org/#/c/168507 for the HTTP Store and https://review.openstack.org/168540 for the VMWare Store.

Previous OSSN regarding httplib.HTTPSConnection at https://wiki.openstack.org/wiki/OSSN/OSSN-0033.

Grant - can you add a link to the review for this OSSN please - the 'fixed by' feature for cross posting from Gerrit to LP isn't working for some reason.

The published version of OSSN-0033 has been updated with the new bug references:

  https://wiki.openstack.org/wiki/OSSN/OSSN-0033

Change abandoned by Glance Bot (<email address hidden>) on branch: master
Review: https://review.openstack.org/168507

This was discussed in the driver's meeting on Dec 15th and it was approved as a spec lite

Reviewed: https://review.openstack.org/168507
Committed: https://git.openstack.org/cgit/openstack/glance_store/commit/?id=2572ea1410d4cb02b65f5791681d4d8e54adc67c
Submitter: Jenkins
Branch: master

commit 2572ea1410d4cb02b65f5791681d4d8e54adc67c
Author: Ian Cordasco <email address hidden>
Date: Fri Mar 27 17:49:36 2015 -0500

    Switch HTTP store to using requests

    Previously the HTTP store was using httplib and specifically unverified
    HTTPS connections to download data about images. By switching to using
    requests, we will get several benefits:

    1. Certificate verification when using HTTPS
    2. Connection pooling when following redirects
    3. Help handling redirects

    Closes-bug: 1263067
    Partial-bug: 1436082
    Implements: blueprint http-store-on-requests

    Co-Authored-By: Sabari Kumar Murugesan <email address hidden>

    Change-Id: Ib114919c1e1361ba64fe9e8382e1a2c39dbb3271

Reviewed: https://review.openstack.org/168540
Committed: https://git.openstack.org/cgit/openstack/glance_store/commit/?id=91636e8b85de680ea1347b60b1c2a27022c0f26f
Submitter: Jenkins
Branch: master

commit 91636e8b85de680ea1347b60b1c2a27022c0f26f
Author: Ian Cordasco <email address hidden>
Date: Fri Mar 27 21:18:42 2015 -0500

    Switch VMWare Datastore to use Requests

    Previously the VMWare Datastore was using HTTPS Connections from httplib
    which do not verify the connection. Switching to requests allows the
    store to perform proper connection level verification for a secure
    connection. By switching to using requests, we will get several
    benefits:

    1. Certificate verification when using HTTPS
    2. Connection pooling when following redirects
    3. Help handling redirects
    4. Help with Chunked Encoding

    Partial-bug: 1436082

    Co-authored-by: Sabari Kumar Murugesan <email address hidden>

    Change-Id: I8ff20b2f6bd0e05cd50e44a60ec89fd54f87e1b4

Fix released in glance_store 0.11.0