[Openstack-security] [Bug 1381365] Re: SSL Version and cipher selection not possible
Jeremy Stanley
fungi at yuggoth.org
Fri Oct 24 14:11:22 UTC 2014
** Information type changed from Private Security to Public
** Tags added: security
** Changed in: ossa
Status: Incomplete => Won't Fix
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3511
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381365
Title:
SSL Version and cipher selection not possible
Status in Cinder:
New
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Status in OpenStack Identity (Keystone):
New
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
We configure keystone to use SSL always. Due to the poodle issue, I was trying to configure keystone to disable SSLv3 completely.
http://googleonlinesecurity.blogspot.fi/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
It seems that keystone has no support for configring SSL versions, nor
ciphers.
If I'm not mistaken the relevant code is in the start function in
common/environment/eventlet_server.py
It calls
eventlet.wrap_ssl
but with no SSL version nor cipher options. Since the interface is identical, I assume it uses ssl.wrap_socket. The default here seems to be PROTOCOL_SSLv23 (SSL2 disabled), which would make this vulnerable to the poodle issue.
SSL conifgs should probably be possible to be set in the config file
(with sane defaults), so that current and newly detected weak ciphers
can be disabled without code changes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1381365/+subscriptions
More information about the Openstack-security
mailing list