[Openstack-security] [Bug 1188189] Re: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection)

Daniel Gollub d.gollub at telekom.de
Sat Mar 1 16:21:29 UTC 2014 

Random idea:
Maybe this is something which should be discussed/handled by the individual OpenStack distributors/vendors?
They could handle this inside their packages of cinder (or other components)? With pre-/post-scripts while upgrading the package?


All other automatic approaches were it disables SSL verification - or
tolerates failing verification would let us end-up with the same
security issue again - I guess.

I do not have a better idea either. But maybe we could use the Icehouse
release and stress this fundamental change in Upgrade notes/instruction.
And switch to SSL verification by default across all the identified
OpenStack components.


Introducing some logic like: if the configured HTTPS URL holds an IP address instead of a DNS name, "very likely" SSL verification is not going to succeed so the code falls back to ssl_insecure=True .... or something like that - I would not recommend to do. Since it would silently hide the fact that the current setup is not as secure as one would think.

Not quite sure if just logging that SSL verification failed and
continuing with ssl_insecure=True would "solve" it either in a correct
fashion.

Maybe security- and release folks should decide to go once through this
burden with the Icehouse release or not. And try to warn the admins
ahead in Release Notes and Upgrade Instruction to verify if their setup
would pass SSL verification - or not.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1188189

Title:
  Some server-side 'SSL' communication fails to check certificates (use
  of HTTPSConnection)

Status in Cinder:
  In Progress
Status in OpenStack Identity (Keystone):
  In Progress
Status in OpenStack Neutron (virtual network service):
  In Progress
Status in OpenStack Compute (Nova):
  Confirmed
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released
Status in Python client library for Keystone:
  Fix Released
Status in OpenStack Object Storage (Swift):
  Invalid

Bug description:
  Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection
  objects. In Python 2.x those do not perform CA checks so client
  connections are vulnerable to MiM attacks.

  """
  The following files use httplib.HTTPSConnection :
  keystone/middleware/s3_token.py
  keystone/middleware/ec2_token.py
  keystone/common/bufferedhttp.py
  vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py

  AFAICT HTTPSConnection does not validate server certificates and
  should be avoided. This is fixed in Python 3, however in 2.X no
  validation occurs. I suspect this is also applicable to most OpenStack
  modules that make HTTPS client calls.

  Similar problems were found in ovirt:
  https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533)

  With solutions for ovirt:
  http://gerrit.ovirt.org/#/c/7209/
  http://gerrit.ovirt.org/#/c/7249/
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions

More information about the Openstack-security mailing list