[Openstack-security] [Bug 1432901] Re: solidfire driver ignores certificates

John Griffith 1432901 at bugs.launchpad.net
Mon Mar 23 16:35:58 UTC 2015 

*** This bug is a duplicate of bug 1188189 ***
    https://bugs.launchpad.net/bugs/1188189

Late to the party, but for record keeping.. yes duplicate.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1432901

Title:
  solidfire driver ignores certificates

Status in Cinder:
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  The solidfire driver passes verify=False when initiating an https
  connection.  This in effect bypasses any certificate verification and
  allows the user to be vulnerable to a man-in-the-middle attack.
  Certificates should always be trusted before passing credentials.  To
  support cases with self-signed certificates, typically an option to
  ignore errors is exposed in a config file (cinder.conf).

  https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/solidfire.py#L198

          req = requests.post(url,
                              data=json.dumps(payload),
                              auth=(endpoint['login'], endpoint['passwd']),
                              verify=False,
                              timeout=30)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1432901/+subscriptions

More information about the Openstack-security mailing list