Drivers not verifiying certs by default (solidfire/tegile/tintri)
Bug #1635210 reported by
Paul Bourke
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
New
|
Low
|
Unassigned | ||
Bug Description
Currently the drivers referenced have hardcoded verify=False when making http requests. This is bad from a security standpoint. At this point I'm unsure if there's a reason for the default being false, or if simply an oversight.
| tags: | added: drivers solidfire tegile tintri |
| Changed in cinder: | |
| importance: | Undecided → Low |
Revision history for this message
| Rohan Arora (ra271w) wrote | #1 |
| tags: | added: coprhd nexenta nimble |
| Changed in cinder: | |
| assignee: | nobody → NidhiMittalHada (nidhimittal19) |
Revision history for this message
| Sean McGinnis (sean-mcginnis) wrote Bug Assignee Expired | #2 |
| Changed in cinder: | |
| assignee: | NidhiMittalHada (nidhimittal19) → nobody |
To post a comment you must log in.
Any update on this? I was looking at Bandit issues and it is complaining about this as well. Wondering if this is because some drivers are really only being used internally and thus aren't using certificates or something along those lines?