[Openstack-security] [Bug 1381365] Re: SSL Version and cipher selection not possible
Morgan Fainberg
morgan.fainberg at gmail.com
Fri Oct 24 18:50:13 UTC 2014
** Changed in: keystone
Status: New => Confirmed
** Changed in: keystone
Importance: Undecided => Medium
** Changed in: keystone
Importance: Medium => Wishlist
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381365
Title:
SSL Version and cipher selection not possible
Status in Cinder:
New
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Status in OpenStack Identity (Keystone):
Confirmed
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
We configure keystone to use SSL always. Due to the poodle issue, I was trying to configure keystone to disable SSLv3 completely.
http://googleonlinesecurity.blogspot.fi/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
It seems that keystone has no support for configring SSL versions, nor
ciphers.
If I'm not mistaken the relevant code is in the start function in
common/environment/eventlet_server.py
It calls
eventlet.wrap_ssl
but with no SSL version nor cipher options. Since the interface is identical, I assume it uses ssl.wrap_socket. The default here seems to be PROTOCOL_SSLv23 (SSL2 disabled), which would make this vulnerable to the poodle issue.
SSL conifgs should probably be possible to be set in the config file
(with sane defaults), so that current and newly detected weak ciphers
can be disabled without code changes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1381365/+subscriptions
More information about the Openstack-security
mailing list