[Openstack-security] [Bug 1370283] Re: python-glanceclient uses extremely insecure configurations of OpenSSL
Jeremy Stanley
fungi at yuggoth.org
Tue Sep 23 13:23:11 UTC 2014
The bug is not closed--it's still in an untriaged "new" state for
python-glanceclient. I merely marked the security advsory task "won't
fix" to denote that the VMT has judged this a security hardening
opportunity rather than an explicit security vulnerability.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1370283
Title:
python-glanceclient uses extremely insecure configurations of OpenSSL
Status in OpenStack Security Advisories:
Won't Fix
Status in Python client library for Glance:
New
Bug description:
glanceclient does not properly configure OpenSSL, which results in
making TLS connections which allow extremely bad security settings.
Specifically it allows SSLv2, and many insecure ciphersuites. From
Ubuntu 14.04:
>>> import pprint; import glanceclient.common.http; pprint.pprint(glanceclient.common.http.HTTPClient('https://', ssl_compression=False).session.get("https://www.howsmyssl.com/a/check").json())
{u'able_to_detect_n_minus_one_splitting': False,
u'beast_vuln': False,
u'ephemeral_keys_supported': True,
u'given_cipher_suites': [u'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384',
u'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
u'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
u'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
u'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA',
u'TLS_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_RSA_WITH_AES_256_CBC_SHA256',
u'TLS_RSA_WITH_AES_256_CBC_SHA',
u'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
u'TLS_DHE_RSA_WITH_SEED_CBC_SHA',
u'TLS_DHE_DSS_WITH_SEED_CBC_SHA',
u'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA',
u'TLS_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_RSA_WITH_AES_128_CBC_SHA',
u'TLS_RSA_WITH_SEED_CBC_SHA',
u'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
u'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',
u'TLS_ECDH_RSA_WITH_RC4_128_SHA',
u'TLS_ECDH_ECDSA_WITH_RC4_128_SHA',
u'TLS_RSA_WITH_RC4_128_SHA',
u'TLS_RSA_WITH_RC4_128_MD5',
u'TLS_DHE_RSA_WITH_DES_CBC_SHA',
u'TLS_DHE_DSS_WITH_DES_CBC_SHA',
u'TLS_RSA_WITH_DES_CBC_SHA',
u'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
u'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
u'TLS_EMPTY_RENEGOTIATION_INFO_SCSV'],
u'insecure_cipher_suites': {u'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_DSS_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_RSA_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_RC4_40_MD5': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption']},
u'rating': u'Bad',
u'session_ticket_supported': True,
u'tls_compression_supported': False,
u'tls_version': u'TLS 1.2',
u'unknown_cipher_suite_supported': False}
I *strongly* recommend just deleting all this code and using requests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1370283/+subscriptions
More information about the Openstack-security
mailing list