Browse files

- Allow the use of system provided certificate setup that may be inco…


  into the SSL library used on the specific system
  + At present we either use the default certificate bundle we ship with the
    boto source, or we force a user/integrator to create a bundle file of their
    own. Linux distributors build the way certificates are used and validated
    into their SSL implementation. This change allows integrators to use their
    way of certificate handling by setting the configuration to the new
    "system" keyword.
  • Loading branch information...
rjschwei committed Mar 3, 2014
1 parent 64eedce commit cf8b2f0f29c979b91d2606aa40b4bacceb11e8ad
Showing with 20 additions and 7 deletions.
  1. +10 −4 boto/
  2. +6 −2 boto/
  3. +4 −1 docs/source/boto_config_tut.rst
@@ -494,8 +494,11 @@ def __init__(self, host, aws_access_key_id=None,
"support this feature are not available. Certificate "
"validation is only supported when running under Python "
"2.6 or later.")
- self.ca_certificates_file = config.get_value(
+ certs_file = config.get_value(
'Boto', 'ca_certificates_file', DEFAULT_CA_CERTS_FILE)
+ if certs_file == 'system':
+ certs_file = None
+ self.ca_certificates_file = certs_file
if port:
self.port = port
@@ -821,9 +824,12 @@ def proxy_ssl(self, host=None, port=None):
h = httplib.HTTPConnection(host)
if self.https_validate_certificates and HAVE_HTTPS_CONNECTION:
- boto.log.debug("wrapping ssl socket for proxied connection; "
- "CA certificate file=%s",
- self.ca_certificates_file)
+ msg = "wrapping ssl socket for proxied connection; "
+ if self.ca_certificates_file:
+ msg += "CA certificate file=%s" %self.ca_certificates_file
+ else:
+ msg += "using system provided SSL certs"
+ boto.log.debug(msg)
key_file = self.http_connection_kwargs.get('key_file', None)
cert_file = self.http_connection_kwargs.get('cert_file', None)
sslSock = ssl.wrap_socket(sock, keyfile=key_file,
@@ -109,8 +109,12 @@ def connect(self):
if hasattr(self, "timeout") and self.timeout is not socket._GLOBAL_DEFAULT_TIMEOUT:
sock.connect((, self.port))
- boto.log.debug("wrapping ssl socket; CA certificate file=%s",
- self.ca_certs)
+ msg = "wrapping ssl socket; "
+ if self.ca_certs:
+ msg += "CA certificate file=%s" %self.ca_certs
+ else:
+ msg += "using system provided SSL certs"
+ boto.log.debug(msg)
self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
@@ -147,7 +147,10 @@ For example::
:is_secure: Is the connection over SSL. This setting will overide passed in
:https_validate_certificates: Validate HTTPS certificates. This is on by default
-:ca_certificates_file: Location of CA certificates
+:ca_certificates_file: Location of CA certificates or the keyword "system".
+ Using the system keyword lets boto get out of the way and makes the
+ SSL certificate validation the responsibility the underlying SSL
+ implementation provided by the system.
:http_socket_timeout: Timeout used to overwrite the system default socket
timeout for httplib .
:send_crlf_after_proxy_auth_headers: Change line ending behaviour with proxies.

0 comments on commit cf8b2f0

Please sign in to comment.