SSL certificate verification

Warning

hcpsdk doesn’t verify SSL certificates presented by HCP, per default.

For the case that SSL certificate verification is desired, hcpsdk allows to do so without excessive effort:

• Make sure the SSL certificate presented by HCP contains the IP addresses (!) of all HCP nodes as Subject Alternative Names.
• Create an SSL context and assign it to the Target object during creation. Each Connection created using that Target will automatically inherit the SSL context.

Here are some hints:

• This example creates an SSL context with the recommended security settings for client sockets, including automatic certificate verification against the system’s trusted CA store:

   >>> context = ssl.create_default_context()
   >>> auth = hcpsdk.NativeAuthorization('n', 'n01')
   >>> t = hcpsdk.Target('n1.m.hcp1.snomis.local', auth,
                        port=443, sslcontext=context)
  

• Alternatively, you can create an SSL context that verifies certificates against a local CA file:

   >>> context = ssl.create_default_context(cafile='myCA.pem')
   >>> auth = hcpsdk.NativeAuthorization('n', 'n01')
   >>> t = hcpsdk.Target('n1.m.hcp1.snomis.local', auth,
                         port=443, sslcontext=context)
  

If you want to have more control about the protocol and/or the cipher suites in use, follow the Python documentation about SSL context creation.