[Openstack-security] [OSSN][DRAFT]Some SSL-Enabled connections fail to perform basic certificate checks

Bhandaru, Malini K malini.k.bhandaru at intel.com
Thu Aug 15 08:40:51 UTC 2013 

Has anyone started working on this? If not, I shall. Sorry Rob for the delay.
Malini

-----Original Message-----
From: Clark, Robert Graham [mailto:robert.clark at hp.com] 
Sent: Wednesday, August 07, 2013 5:22 AM
To: openstack-security at lists.openstack.org
Subject: [Openstack-security] [OSSN][DRAFT]Some SSL-Enabled connections fail to perform basic certificate checks

Guys, can someone please add some content to this, I'm drafting up a few others today...

Some SSL-Enabled connections fail to perform basic certificate checks
----

### Summary ###
In many places OpenStack components use Python 2.x HTTPSConnection to establish an SSL connection between endpoints. This does not provide many of the assurances one would expect when using SSL and leaves connections open to potential man-in-the-middle attacks

### Affected Services / Software ###
keystone/middleware/s3_token.py
keystone/middleware/ec2_token.py
keystone/common/bufferedhttp.py
vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token
.py
<<<<OTHERS NEED TO BE ADDED HERE>>>>>

### Discussion ###
A secure SSL session relies on validation of a X.509 certificate. Basic checks include:
* Is the certificate signed by a CA I recognize
* Has the CA revoked this certificate
* Does the common name on the certificate match the server I'm trying to reach

The HTTPSConnection class is used in a large number of locations and fails to check that certificates are signed by a valid authority.
Without that check in place, the following checks (some highlighted
above) are largely invalid.

The result is that an attacker who has access to the network traffic between two endpoints relying on HTTPSConnection can trivially create a certificate that will be accepted by HTTPSConnection as valid - allowing the attacker to intercept, read and modify traffic that should be encrypted by SSL.

### Recommended Actions ###
<<<< MORE INVESTIGATION REQUIRED here on short-long term options >>>>

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1188189
OpenStack Security ML : openstack-security at lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg

More information about the Openstack-security mailing list