A packaging of the complete 7.0.25 pywbem package is not possible as such. What I can propose is to retrofit the functionality that you are after, which is the verification of the CA Certificates. I believe that this is introduced by the following upstream commit :
fixed TOCTOU error when validating peer's certificate
By TOCTOU it's meant time-of-check-time-of-use. Up to now, pywbem made two
connections for one request (applies just to ssl). The first one made the
verification (without the hostname check) and the second one was used for
request. No verification was done for the latter, which could be abused.
Peer's certificate is now validated when connecting over ssl. To prevent
man-in-the-middle attack, verification of hostname is also added. Peer's
hostname must match the commonName of its certificate. Or it must be contained
in subjectAltName (list of aliases). M2Crypto package is used for that purpose.
Thanks to it both security enhancements could be implemented quiete easily.
Downside is a new dependency added to pywbem. Verification can be skipped if
no_verification is set to False.
Certificate trust store can now be specified by user. Some default paths, valid
for several distributions, were added.
This modification is part of 7.0.25
This would allow you to gain access to ca_certs= and no_verification= parameter.
Xing Yang,
A packaging of the complete 7.0.25 pywbem package is not possible as such. What I can propose is to retrofit the functionality that you are after, which is the verification of the CA Certificates. I believe that this is introduced by the following upstream commit :
http:// sourceforge. net/p/pywbem/ code/627/
fixed TOCTOU error when validating peer's certificate check-time- of-use. Up to now, pywbem made two
By TOCTOU it's meant time-of-
connections for one request (applies just to ssl). The first one made the
verification (without the hostname check) and the second one was used for
request. No verification was done for the latter, which could be abused.
Peer's certificate is now validated when connecting over ssl. To prevent
man-in-the-middle attack, verification of hostname is also added. Peer's
hostname must match the commonName of its certificate. Or it must be contained
in subjectAltName (list of aliases). M2Crypto package is used for that purpose.
Thanks to it both security enhancements could be implemented quiete easily.
Downside is a new dependency added to pywbem. Verification can be skipped if
no_verification is set to False.
Certificate trust store can now be specified by user. Some default paths, valid
for several distributions, were added.
This modification is part of 7.0.25
This would allow you to gain access to ca_certs= and no_verification= parameter.
Would that be acceptable to you ?
Kind regards,
...Louis