[Openstack-security] [Bug 1381365] Re: SSL Version and cipher selection not possible
Sean McGinnis
sean_mcginnis at dell.com
Thu Sep 29 02:40:04 UTC 2016
** Changed in: cinder
Status: New => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381365
Title:
SSL Version and cipher selection not possible
Status in Cinder:
Won't Fix
Status in Glance:
New
Status in OpenStack Identity (keystone):
Won't Fix
Status in OpenStack Compute (nova):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
We configure keystone to use SSL always. Due to the poodle issue, I was trying to configure keystone to disable SSLv3 completely.
http://googleonlinesecurity.blogspot.fi/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
It seems that keystone has no support for configring SSL versions, nor
ciphers.
If I'm not mistaken the relevant code is in the start function in
common/environment/eventlet_server.py
It calls
eventlet.wrap_ssl
but with no SSL version nor cipher options. Since the interface is identical, I assume it uses ssl.wrap_socket. The default here seems to be PROTOCOL_SSLv23 (SSL2 disabled), which would make this vulnerable to the poodle issue.
SSL conifgs should probably be possible to be set in the config file
(with sane defaults), so that current and newly detected weak ciphers
can be disabled without code changes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1381365/+subscriptions
More information about the Openstack-security
mailing list