[Openstack-security] [Bug 1188189] Re: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection)
Jamie Lennox
jlennox at redhat.com
Wed Jul 10 22:54:33 UTC 2013
I've got a patch or two related to this waiting already
** Changed in: python-keystoneclient
Assignee: (unassigned) => Jamie Lennox (jamielennox)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1188189
Title:
Some server-side 'SSL' communication fails to check certificates (use
of HTTPSConnection)
Status in Cinder:
Confirmed
Status in OpenStack Identity (Keystone):
Confirmed
Status in OpenStack Neutron (virtual network service):
Confirmed
Status in OpenStack Compute (Nova):
Confirmed
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
In Progress
Status in Python client library for Keystone:
Confirmed
Status in OpenStack Object Storage (Swift):
Invalid
Bug description:
Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection
objects. In Python 2.x those do not perform CA checks so client
connections are vulnerable to MiM attacks.
"""
The following files use httplib.HTTPSConnection :
keystone/middleware/s3_token.py
keystone/middleware/ec2_token.py
keystone/common/bufferedhttp.py
vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py
AFAICT HTTPSConnection does not validate server certificates and
should be avoided. This is fixed in Python 3, however in 2.X no
validation occurs. I suspect this is also applicable to most OpenStack
modules that make HTTPS client calls.
Similar problems were found in ovirt:
https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533)
With solutions for ovirt:
http://gerrit.ovirt.org/#/c/7209/
http://gerrit.ovirt.org/#/c/7249/
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions
More information about the Openstack-security
mailing list