
<div dir="ltr">That is great information! Thanks.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 29, 2014 at 10:38 AM, Clark, Robert Graham <span dir="ltr"><<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-GB" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Absolutely, for people that haven’t updated their SSL libraries (where OpenSSL was in use) there could be some level of exposure.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This has actually been addressed in an OpenStack Security Note: <a href="https://wiki.openstack.org/wiki/OSSN/OSSN-0012" target="_blank">https://wiki.openstack.org/wiki/OSSN/OSSN-0012</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">

<div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Hao Wang [mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>] <br>

<b>Sent:</b> 29 April 2014 15:26<br><b>To:</b> Clark, Robert Graham<br><b>Cc:</b> <a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a>; openstack; Aaron Knister</span></p>

<div><div class="h5"><br><b>Subject:</b> Re: [Openstack-security] [Openstack] API Security<u></u><u></u></div></div><p></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">

Thanks. It makes sense. The other questions are, would Heartbleed be a potential risk? Which solution is being used in OpenStack SSL?<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>

<div><p class="MsoNormal">On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham <<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">

<div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This is why any production API servers should all be running TLS/SSL – to protect the confidentiality of messages in flight.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">There have been efforts to remove sensitive information from logs, I’m a little surprised that passwords are logged in Neutron.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">

<div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Hao Wang [mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>] <br>

<b>Sent:</b> 29 April 2014 14:06<br><b>To:</b> <a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a><br><b>Cc:</b> openstack; Aaron Knister<br><b>Subject:</b> Re: [Openstack-security] [Openstack] API Security</span><u></u><u></u></p>

</div></div><div><div><p class="MsoNormal"> <u></u><u></u></p><div><p class="MsoNormal">Adding security group...<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"> <u></u><u></u></p><div><p class="MsoNormal">

On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">

<div><p class="MsoNormal">It is the client. I got this message with DEBUG enabled:<u></u><u></u></p><div><p class="MsoNormal">curl -i '<a href="http://192.168.56.103:35357/v2.0/tokens" target="_blank">http://192.168.56.103:35357/v2.0/tokens</a>' -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'<u></u><u></u></p>

</div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">It can be seen that username and password are right in the message.<u></u><u></u></p></div><div><p class="MsoNormal"><span style="color:#888888"> </span><u></u><u></u></p>

</div><div><p class="MsoNormal"><span style="color:#888888">Hao</span><u></u><u></u></p></div></div><div><div><div><p class="MsoNormal" style="margin-bottom:12.0pt"> <u></u><u></u></p><div><p class="MsoNormal">On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister <<a href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.com</a>> wrote:<u></u><u></u></p>

<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><div><div><p class="MsoNormal">Was it the client or the server that exposed the credentials?<br>

<br>Sent from my iPhone<u></u><u></u></p></div><div><div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>On Apr 26, 2014, at 2:28 PM, Hao Wang <<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>> wrote:<u></u><u></u></p>

</div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Hi,</span><u></u><u></u></p><div><p class="MsoNormal">

<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I am troubleshooting a neutron case. It was just found that if DEBUG was enabled, neutron would print out JSON data with username and password. I am wondering what kind of protocol is used in production environment to prevent this security risk from happening.</span><u></u><u></u></p>

</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Thanks,</span><u></u><u></u></p>

</div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Hao</span><u></u><u></u></p></div></div></div></blockquote></div></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div><p class="MsoNormal">_______________________________________________<br>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>

Post to     : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><u></u><u></u></p>

</div></blockquote></div></blockquote></div><p class="MsoNormal"> <u></u><u></u></p></div></div></div></blockquote></div><p class="MsoNormal"> <u></u><u></u></p></div></div></div></div></div></div></blockquote></div><p class="MsoNormal">

<u></u> <u></u></p></div></div></div></div></div></div></blockquote></div><br></div>