[Openstack-security] [Bug 1381365] Re: SSL Version and cipher selection not possible
Sean Dague
sean at dague.net
Wed Dec 10 20:08:22 UTC 2014
The distro fix for this issue was a patched python that removes the bad
SSL versions. I'm not convinced we should be in the business of working
around that at the openstack layer.
** Changed in: nova
Status: New => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381365
Title:
SSL Version and cipher selection not possible
Status in Cinder:
New
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Status in OpenStack Identity (Keystone):
Confirmed
Status in OpenStack Compute (Nova):
Won't Fix
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
We configure keystone to use SSL always. Due to the poodle issue, I was trying to configure keystone to disable SSLv3 completely.
http://googleonlinesecurity.blogspot.fi/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
It seems that keystone has no support for configring SSL versions, nor
ciphers.
If I'm not mistaken the relevant code is in the start function in
common/environment/eventlet_server.py
It calls
eventlet.wrap_ssl
but with no SSL version nor cipher options. Since the interface is identical, I assume it uses ssl.wrap_socket. The default here seems to be PROTOCOL_SSLv23 (SSL2 disabled), which would make this vulnerable to the poodle issue.
SSL conifgs should probably be possible to be set in the config file
(with sane defaults), so that current and newly detected weak ciphers
can be disabled without code changes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1381365/+subscriptions
More information about the Openstack-security
mailing list