Open Stack

>From tests/apache_fixtures.py:

> 'SSL_CLIENT_S_DN': ('CN=localhost,emailAddress=keystone at openstack.org,'70
> 'OU=Keystone,O=OpenStack,L=Sunnyvale,ST=CA,C=US'),71
> 'SSL_CLIENT_I_DN': ('CN=Self Signed,emailAddress=keystone at openstack.org,'72
> 'OU=Keystone,O=OpenStack,L=Sunnyvale,ST=CA,C=US,'73
> 'serialNumber=5'),

SSL_CLIENT_S_DN appears to be Subject Distinguished Name. A hostname
in the Common Name (CN) (i.e., CN=localhost) is deprecated by both the
IETF and the CA/Browser Forums [1,2]. Most CAs in the wild follow the
CA/Browser Forums, and *not* the IETF. (And which standard libraries
use is a whole 'nother debate).

It would probably be a good idea to have a couple of test cases that
place the hostname in the Subject Alt Name (SAN), and not the Common
Name (CN). Both the IETF and CA/B want the hostname there.

Also, a negative test case to consider uses a hostname of (1) "*.com",
and (2) "*.uk.com". (1) is a wildcarded gTLD, and (2) is a wildcarded
ccTLD. Both should probably be rejected because they claim perview
over the entire top level domain. Intuitively, we know this is not
possible. Additioanlly, its prohibited CA/B Baseline Requirements
(which most CAs issue against).

A final negative test case with hostname tricks would be (1)
"keystone.*.com", and (2) "keystone.*.uk.com". In this test case, the
asterisk is *not* in the leftmost label. This suffers the same basic
fault of the previous test case. And its a violation of the CA/B BR.

I know how Python, PERL, OpenSSL, .Net, Cocoa/CocoaTouch, Ruby, etc
responds to the negative test cases. For the first test case,
("*.com", and "*.uk.com"), OpenStack will probably need an additional
security control because Python does not handle it correctly. If its
OpenSSL based, then *no* hostname matching currently occurs, so
OpenStack will need to implement it (or find a library with it). What
I'm not clear on: how does Apache respond to them (because I've never
programmed Apache).

(Sorry to post to the list. I recently learned Gerrit was not saving
most of my comments. I want to ensure this is documented).

Jeff

[1] RFC 5280, Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile,
http://www.ietf.org/rfc/rfc5280.txt.
[2] RFC 6125, Representation and Verification of Domain-Based
Application Service Identity within Internet Public Key Infrastructure
Using X.509 (PKIX) Certificates in the Context of Transport Layer
Security (TLS), http://www.ietf.org/rfc/rfc6125.txt.
[3] CA/Broswer Forums Baseline Requirements Documents,
https://cabforum.org/baseline-requirements-documents/.


On Tue, Jul 8, 2014 at 3:21 AM,  <gerrit2 at review.openstack.org> wrote:
>
> Hi, I'd like you to take a look at this patch for potential
> SecurityImpact.
> https://review.openstack.org/103736
>
> Log:
> commit 6bb86fe7971f250163395d450ccac06f7bafa789
> Author: guang-yee <guang.yee at hp.com>
> Date:   Mon Jun 30 22:38:50 2014 -0700
>
>     X.509 SSL certificate authentication plugin
>
>     Add a plugin for X.509 SSL certification authentication. This is similar to
>     Kerberos auth plugin. It must be used in conjunction with Apache mod_ssl.
>
>     DocImpact
>     SecurityImpact
>
>     Change-Id: I695e8deeb89826717ec859461ab2339d8af20805