Project

General

Profile

Actions
Copy link

Tasks #51946

open

mgr: remove pyOpenSSL dependency

Added by Ken Dreyer over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Tags:
Reviewed:
Affected Versions:
Pull request ID:

Description

From https://pypi.org/project/pyOpenSSL/ , "The Python Cryptographic Authority strongly suggests the use of pyca/cryptography where possible"

We should drop our direct use of PyOpenSSL and use https://pypi.org/project/cryptography/ wherever possible.

git grep -l OpenSSL | grep \.py shows

doc/_ext/ceph_commands.py
doc/_ext/ceph_confval.py
qa/tasks/openssl_keys.py
src/mypy.ini
src/pybind/CMakeLists.txt
src/pybind/mgr/dashboard/cherrypy_backports.py
src/pybind/mgr/mgr_util.py
src/pybind/mgr/requirements.txt
src/pybind/mgr/restful/module.py
src/pybind/mgr/tests/test_tls.py
src/test/rgw/bucket_notification/test_bn.py

mgr_util.py seems to be the main problem, mainly cert handling like create_self_signed_cert(), verify_tls_files(), verify_tls(), verify_cacrt_content().

The cryptography.io docs are excellent, and I'll also mention for what it's worth I've written a separate tool that uses python-cryptography to do things like CA generation and signatures, etc, https://pagure.io/koji-tools/blob/master/f/src/bin/koji-ssl-admin . Feel free to use that as inspiration for rewriting this in Ceph's mgr.

Actions
Copy link
 #1

Updated by Ken Dreyer over 2 years ago

  • Description updated (diff)
Actions
Copy link

Also available in: Atom PDF