Open Stack

Hi Jeff,

Thanks for the review. Please see my response inline.


Guang


> -----Original Message-----
> From: Jeffrey Walton [mailto:noloader at gmail.com]
> Sent: Tuesday, July 08, 2014 8:28 AM
> To: openstack-security at lists.openstack.org
> Cc: Yee, Guang
> Subject: Re: [Openstack-security] [openstack/keystone] SecurityImpact
> review request change I695e8deeb89826717ec859461ab2339d8af20805
>
> From tests/apache_fixtures.py:
>
> > 'SSL_CLIENT_S_DN':
> > ('CN=localhost,emailAddress=keystone at openstack.org,'70
> > 'OU=Keystone,O=OpenStack,L=Sunnyvale,ST=CA,C=US'),71
> > 'SSL_CLIENT_I_DN': ('CN=Self
> > Signed,emailAddress=keystone at openstack.org,'72
> > 'OU=Keystone,O=OpenStack,L=Sunnyvale,ST=CA,C=US,'73
> > 'serialNumber=5'),
>
> SSL_CLIENT_S_DN appears to be Subject Distinguished Name. A hostname in
> the Common Name (CN) (i.e., CN=localhost) is deprecated by both the
> IETF and the CA/Browser Forums [1,2]. Most CAs in the wild follow the
> CA/Browser Forums, and *not* the IETF. (And which standard libraries
> use is a whole 'nother debate).
>
> It would probably be a good idea to have a couple of test cases that
> place the hostname in the Subject Alt Name (SAN), and not the Common
> Name (CN). Both the IETF and CA/B want the hostname there.
[gyee] this is SSL client certificate. My understanding is that only SSL 
server certificate need to follow the IETF (HTTPS) standard. This patch is for 
SSL authentication using SSL client certificate. SSL server certificate is to 
be validated by the client application.

>
> Also, a negative test case to consider uses a hostname of (1) "*.com",
> and (2) "*.uk.com". (1) is a wildcarded gTLD, and (2) is a wildcarded
> ccTLD. Both should probably be rejected because they claim perview over
> the entire top level domain. Intuitively, we know this is not possible.
> Additioanlly, its prohibited CA/B Baseline Requirements (which most CAs
> issue against).
[gyee] Wildcard chars are not used in this patch. It must be case-sensitive 
match of client certificate attributes.
>
> A final negative test case with hostname tricks would be (1)
> "keystone.*.com", and (2) "keystone.*.uk.com". In this test case, the
> asterisk is *not* in the leftmost label. This suffers the same basic
> fault of the previous test case. And its a violation of the CA/B BR.
[gyee] Same as above. We are using the SSL client certificate attributes 
conveyed by Apache mod_ssl.
>
> I know how Python, PERL, OpenSSL, .Net, Cocoa/CocoaTouch, Ruby, etc
> responds to the negative test cases. For the first test case, ("*.com",
> and "*.uk.com"), OpenStack will probably need an additional security
> control because Python does not handle it correctly. If its OpenSSL
> based, then *no* hostname matching currently occurs, so OpenStack will
> need to implement it (or find a library with it). What I'm not clear
> on: how does Apache respond to them (because I've never programmed
> Apache).
>
> (Sorry to post to the list. I recently learned Gerrit was not saving
> most of my comments. I want to ensure this is documented).
>
> Jeff
>
> [1] RFC 5280, Internet X.509 Public Key Infrastructure Certificate and
> Certificate Revocation List (CRL) Profile,
> http://www.ietf.org/rfc/rfc5280.txt.
> [2] RFC 6125, Representation and Verification of Domain-Based
> Application Service Identity within Internet Public Key Infrastructure
> Using X.509 (PKIX) Certificates in the Context of Transport Layer
> Security (TLS), http://www.ietf.org/rfc/rfc6125.txt.
> [3] CA/Broswer Forums Baseline Requirements Documents,
> https://cabforum.org/baseline-requirements-documents/.
>
>
> On Tue, Jul 8, 2014 at 3:21 AM,  <gerrit2 at review.openstack.org> wrote:
> >
> > Hi, I'd like you to take a look at this patch for potential
> > SecurityImpact.
> > https://review.openstack.org/103736
> >
> > Log:
> > commit 6bb86fe7971f250163395d450ccac06f7bafa789
> > Author: guang-yee <guang.yee at hp.com>
> > Date:   Mon Jun 30 22:38:50 2014 -0700
> >
> >     X.509 SSL certificate authentication plugin
> >
> >     Add a plugin for X.509 SSL certification authentication. This is
> similar to
> >     Kerberos auth plugin. It must be used in conjunction with Apache
> mod_ssl.
> >
> >     DocImpact
> >     SecurityImpact
> >
> >     Change-Id: I695e8deeb89826717ec859461ab2339d8af20805
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6183 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140708/e1253ad4/attachment.bin>