ssl-hostname-verification in environments.yaml

Clint Byrum clint at
Fri Apr 13 21:57:25 UTC 2012

Just an FYI, in the most recent versions of juju, the ec2 provider has
added SSL hostname certificate verification.

To enable it, add 'ssl-hostname-verification: true' to your
environments.yaml. It will automatically be set to true on newly generated
sample environments.yaml files.

Note that this is only relevant for the EC2 provider. Also, it will
default to being turned on at some point very soon, but I did not want
to break any existing automation without warning. Consider this your
warning! You should also get a warning now if you're not using it:

2012-04-13 14:49:18,561 WARNING ssl-hostname-verification is disabled for this environment
2012-04-13 14:49:18,561 WARNING EC2 API calls encrypted but not authenticated
2012-04-13 14:49:18,561 WARNING S3 API calls encrypted but not authenticated
2012-04-13 14:49:18,561 WARNING Ubuntu Cloud Image lookups encrypted but not authenticated

Note that the EC2 API does have signing and expiration aspects that make
it impossible to forge a request, so even if they do MITM you, they can
only do replay attacks (and then for only a limited amount of time).

However, the Ubuntu Cloud Image query bits *are* quite critical, as a
MITM there could feed you back a trojaned AMI to run. SSL+Cert validation
is the only way to ensure that this is a secure operation.

So, I recommend you set 'ssl-hostname-verification: true' in your EC2
environments now to suppress this warning if you do have a valid cert
for your S3 and EC2 endpoints. Obviously if you are using Amazon the
certs will be signed and validate correctly.

If you don't, like say a test OpenStack cluster, then you will perhaps
appreciate the reminder that you are doing something unsafe, and the
AMI lookup won't be happening anyway because you will have to set a

More information about the Juju mailing list