[Openstack-security] [OSSN][DRAFT]Some SSL-Enabled connections fail to perform basic certificate checks
Kurt Seifried
kseifried at redhat.com
Fri Aug 16 05:56:07 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/15/2013 02:40 AM, Bhandaru, Malini K wrote:
> Has anyone started working on this? If not, I shall. Sorry Rob for
> the delay. Malini
>
> -----Original Message----- From: Clark, Robert Graham
> [mailto:robert.clark at hp.com] Sent: Wednesday, August 07, 2013 5:22
> AM To: openstack-security at lists.openstack.org Subject:
> [Openstack-security] [OSSN][DRAFT]Some SSL-Enabled connections fail
> to perform basic certificate checks
>
> Guys, can someone please add some content to this, I'm drafting up
> a few others today...
>
> Some SSL-Enabled connections fail to perform basic certificate
> checks ----
>
> ### Summary ### In many places OpenStack components use Python 2.x
> HTTPSConnection to establish an SSL connection between endpoints.
> This does not provide many of the assurances one would expect when
> using SSL and leaves connections open to potential
> man-in-the-middle attacks
>
> ### Affected Services / Software ###
> keystone/middleware/s3_token.py keystone/middleware/ec2_token.py
> keystone/common/bufferedhttp.py
> vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token
>
>
.py
> <<<<OTHERS NEED TO BE ADDED HERE>>>>>
This will likely need multiple CVE's, when you have a complete list of
the software affected please let me know and I'll assign CVEs.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJSDb73AAoJEBYNRVNeJnmTjHAQAJvahkutupiEvPtuP7Xnu+Wm
O09dXbRBJLxBV8fAM+bw4VvHLeu1LkmJmt9sgsrfGUSMKdUr46gWl99Uowaon8jM
UVaKp/KW9Aan7Ml9hUsgdMeA64IpTH7oj4TddoBT1o+n2M59hK0oVkK1nFWvjcz/
34RiM5b1XgT4sQRfQR6IFrRbNFM3I7SOBI/DGxb2gxU0Q2DNdr5s9UPHsUrjw0yx
iMXxqcSSwfecuTPnzpE4ku1UXgK9nJP+KAldG4GXMczQ4gq5vPCiD4dEV682z4Kt
UdJJNrkRDy7Y6FRUJjEPrxIfR+CdrxmYuRGeDi8NdXoxbFRTl8af3XID9nsEL5jt
wBmXAKC0CUKt0j/H70giOpx+KIcAT2bt3utz6ctUj2vg7lcvs9lWT42pp/oM8MEC
ebOYjKROwA2+y+ucp2RZTxGmJwqTdmOke6FcSLiBjAFw2vJ6oNsJE/WhpoPZXTo7
SUlh33kkpUqi3wHEClkIawb63FsQ1JYVXBJM06i0N9h/Io6DRgXvWpTSc2qxgdra
zJoYbJOdIxw/vnmh6yAh5zHYPRhVfmFxAgcIvgAb5vGvDnbHcgCRUGfw9d1WUm7H
OSIi4iLYvnVh13aBVC+hJI1y3Wvv7IfGzfEw6SnGDLHFEbAfUmRhzVAd2GwCol8r
jay9y+ao+Ap6ZSiqurE1
=Og9M
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list