[Bug 1078444] [NEW] python-boto should verify SSL certificates and should use the systems certificate repository

[Andrew Glen-Young]

Public bug reported:

Currently python-boto does not verify SSL certificates by default. This
is unacceptable as this exposes users to man in the middle attacks. This
can be worked around by the user (see below).

Unfortunately after enabling verification, python-boto uses it's own
cacerts.txt file to verify certificates and does not use the system
provided certificates. If a valid certificate is not included in the
python-boto shipped cacerts.txt file and certificate validation is tuned
on, then verification will fail. I presume that this behaviour exists to
enable cross platform compatibility.

Python-boto should enable SSL certificate verification by default and
use the system installed certificates (perhaps falling back to it's
shipped certs file if necessary). The method to override verification
should be included in the package documentation (or a README).

= Workaround to enable verification =

Create a ~/.boto file with the following:

    [Boto]
    https_validate_certificates = true

= System Information =

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.10
DISTRIB_CODENAME=quantal
DISTRIB_DESCRIPTION="Ubuntu 12.10"

$ dpkg-query --show python-boto ca-certificates
ca-certificates 20120623
python-boto     2.3.0-1

** Affects: python-boto (Ubuntu)
     Importance: Undecided
         Status: Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to python-boto in Ubuntu.
https://bugs.launchpad.net/bugs/1078444

Title:
  python-boto should verify SSL certificates and should use the systems
  certificate repository

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-boto/+bug/1078444/+subscriptions