<div dir="ltr">SSL terminator will terminates at the network boundary. I am thinking if the crackers can figure out a way to sneak into the internal network and capture all the sensitive information still. Is this a concern for a private cloud?</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 29, 2014 at 10:39 AM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">Hao Wang wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks. It makes sense. The other questions are, would Heartbleed be a<br>
potential risk? Which solution is being used in OpenStack SSL?<br>
</blockquote>
<br></div>
Native SSL services (eventlet) are based on OpenSSL, as is Apache (horizon) so yes, the risk is there if you haven't updated your OpenSSL libraries.<br>
<br>
The general consensus however is to use SSL terminators rather than enabling SSL in the endpoints directly. You'd need to investigate the SSL library in the terminator you choose, though it would likely be OpenSSL.<br>
<br>
Check this out as well, <a href="https://blog-nkinder.rhcloud.com/?p=7" target="_blank">https://blog-nkinder.rhcloud.<u></u>com/?p=7</a><br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">
<br>
<br>
On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham<br></div><div class="">
<<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a> <mailto:<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a>>> wrote:<br>
<br>
This is why any production API servers should all be running TLS/SSL<br></div>
– to protect the confidentiality of messages in flight.____<br>
<br>
__ __<div class=""><br>
<br>
There have been efforts to remove sensitive information from logs,<br></div>
I’m a little surprised that passwords are logged in Neutron.____<br>
<br>
__ __<br>
<br>
*From:*Hao Wang [mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a><br>
<mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>>]<br>
*Sent:* 29 April 2014 14:06<br>
*To:* <a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.<u></u>openstack.org</a><br>
<mailto:<a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@<u></u>lists.openstack.org</a>><br>
*Cc:* openstack; Aaron Knister<br>
*Subject:* Re: [Openstack-security] [Openstack] API Security____<br>
<br>
__ __<br>
<br>
Adding security group...____<br>
<br>
__ __<div class=""><br>
<br>
On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a><br></div>
<mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>>> wrote:____<br>
<br>
It is the client. I got this message with DEBUG enabled:____<div class=""><br>
<br>
curl -i '<a href="http://192.168.56.103:35357/v2.0/tokens" target="_blank">http://192.168.56.103:35357/<u></u>v2.0/tokens</a>' -X POST -H<br>
"Content-Type: application/json" -H "Accept: application/json"<br>
-H "User-Agent: python-novaclient" -d '{"auth": {"tenantName":<br>
"admin", "passwordCredentials": {"username": "admin",<br></div>
"password": "admin"}}}'____<br>
<br>
__ __<div class=""><br>
<br>
It can be seen that username and password are right in the<br></div>
message.____<br>
<br>
__ __<br>
<br>
Hao____<br>
<br>
__ __<div class=""><br>
<br>
On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister<br></div>
<<a href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.com</a> <mailto:<a href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.<u></u>com</a>>><br>
wrote:____<div class=""><br>
<br>
Was it the client or the server that exposed the credentials?<br>
<br></div>
Sent from my iPhone____<div class=""><br>
<br>
<br>
On Apr 26, 2014, at 2:28 PM, Hao Wang <<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a><br></div>
<mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>>> wrote:____<br>
<br>
Hi,____<br>
<br>
__ __<div class=""><br>
<br>
I am troubleshooting a neutron case. It was just found<br>
that if DEBUG was enabled, neutron would print out JSON<br>
data with username and password. I am wondering what<br>
kind of protocol is used in production environment to<br></div>
prevent this security risk from happening.____<br>
<br>
__ __<br>
<br>
Thanks,____<br>
<br>
Hao____<div class=""><br>
<br>
______________________________<u></u>_________________<br>
Mailing list:<br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br></div>
<mailto:<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.<u></u>openstack.org</a>><br>
Unsubscribe :<br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack____" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack____</a><br>
<br>
__ __<br>
<br>
__ __<br>
<br>
<br>
<br>
<br>
______________________________<u></u>_________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.<u></u>openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack-security</a><br>
<br>
</blockquote>
<br>
</blockquote></div><br></div>