Tasks #51946
Updated by Ken Dreyer almost 3 years ago
From https://pypi.org/project/pyOpenSSL/ , "The Python Cryptographic Authority strongly suggests the use of pyca/cryptography where possible" We should drop our direct use of PyOpenSSL and use https://pypi.org/project/cryptography/ wherever possible. @git grep -l OpenSSL | grep \.py@ shows <pre> doc/_ext/ceph_commands.py doc/_ext/ceph_confval.py qa/tasks/openssl_keys.py src/mypy.ini src/pybind/CMakeLists.txt src/pybind/mgr/dashboard/cherrypy_backports.py src/pybind/mgr/mgr_util.py src/pybind/mgr/requirements.txt src/pybind/mgr/restful/module.py src/pybind/mgr/tests/test_tls.py src/test/rgw/bucket_notification/test_bn.py </pre> @mgr_util.py@ seems to be the main problem, mainly cert handling like @create_self_signed_cert()@, @verify_tls_files()@, @verify_tls()@, @verify_cacrt_content()@. The cryptography.io cryptography docs are excellent, and I'll also mention for what it's worth I've written a separate tool that uses python-cryptography to do things like CA generation and signatures, etc, https://pagure.io/koji-tools/blob/master/f/src/bin/koji-ssl-admin . Feel free to use that as inspiration for rewriting this in Ceph's mgr.