<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>You can terminate SSL anywhere, it doesn’t have to be at the boundary necessarily. Many larger deployments will utilize hardware terminators at the network edge and then internally use software based terminators (like Stunnel).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>There’s a growing effort to use SSL everywhere, I can second Rob Crittenden’s comments – check out Nathan Kinders blog entry on the topic </span><a href="https://blog-nkinder.rhcloud.com/?p=7" target="_blank">https://blog-nkinder.rhcloud.com/?p=7</a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Hao Wang [mailto:hao.1.wang@gmail.com] <br><b>Sent:</b> 29 April 2014 16:04<br><b>To:</b> Rob Crittenden<br><b>Cc:</b> Clark, Robert Graham; openstack-security@lists.openstack.org; openstack; Aaron Knister<br><b>Subject:</b> Re: [Openstack-security] [Openstack] API Security<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>SSL terminator will terminates at the network boundary. I am thinking if the crackers can figure out a way to sneak into the internal network and capture all the sensitive information still. Is this a concern for a private cloud?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Apr 29, 2014 at 10:39 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal>Hao Wang wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal>Thanks. It makes sense. The other questions are, would Heartbleed be a<br>potential risk? Which solution is being used in OpenStack SSL?<o:p></o:p></p></blockquote><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>Native SSL services (eventlet) are based on OpenSSL, as is Apache (horizon) so yes, the risk is there if you haven't updated your OpenSSL libraries.<br><br>The general consensus however is to use SSL terminators rather than enabling SSL in the endpoints directly. You'd need to investigate the SSL library in the terminator you choose, though it would likely be OpenSSL.<br><br>Check this out as well, <a href="https://blog-nkinder.rhcloud.com/?p=7" target="_blank">https://blog-nkinder.rhcloud.com/?p=7</a><br><br>rob<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal><br><br>On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham<o:p></o:p></p></div><div><p class=MsoNormal><<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a> <mailto:<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a>>> wrote:<br><br> This is why any production API servers should all be running TLS/SSL<o:p></o:p></p></div><p class=MsoNormal> – to protect the confidentiality of messages in flight.____<br><br> __ __<o:p></o:p></p><div><p class=MsoNormal><br><br> There have been efforts to remove sensitive information from logs,<o:p></o:p></p></div><p class=MsoNormal> I’m a little surprised that passwords are logged in Neutron.____<br><br> __ __<br><br> *From:*Hao Wang [mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a><br> <mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>>]<br> *Sent:* 29 April 2014 14:06<br> *To:* <a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a><br> <mailto:<a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a>><br> *Cc:* openstack; Aaron Knister<br> *Subject:* Re: [Openstack-security] [Openstack] API Security____<br><br> __ __<br><br> Adding security group...____<br><br> __ __<o:p></o:p></p><div><p class=MsoNormal><br><br> On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a><o:p></o:p></p></div><p class=MsoNormal> <mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>>> wrote:____<br><br> It is the client. I got this message with DEBUG enabled:____<o:p></o:p></p><div><p class=MsoNormal><br><br> curl -i '<a href="http://192.168.56.103:35357/v2.0/tokens" target="_blank">http://192.168.56.103:35357/v2.0/tokens</a>' -X POST -H<br> "Content-Type: application/json" -H "Accept: application/json"<br> -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName":<br> "admin", "passwordCredentials": {"username": "admin",<o:p></o:p></p></div><p class=MsoNormal> "password": "admin"}}}'____<br><br> __ __<o:p></o:p></p><div><p class=MsoNormal><br><br> It can be seen that username and password are right in the<o:p></o:p></p></div><p class=MsoNormal> message.____<br><br> __ __<br><br> Hao____<br><br> __ __<o:p></o:p></p><div><p class=MsoNormal><br><br> On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister<o:p></o:p></p></div><p class=MsoNormal> <<a href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.com</a> <mailto:<a href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.com</a>>><br> wrote:____<o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><br><br> Was it the client or the server that exposed the credentials?<o:p></o:p></p></div><p class=MsoNormal> Sent from my iPhone____<o:p></o:p></p><div><p class=MsoNormal><br><br><br> On Apr 26, 2014, at 2:28 PM, Hao Wang <<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a><o:p></o:p></p></div><p class=MsoNormal> <mailto:<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>>> wrote:____<br><br> Hi,____<br><br> __ __<o:p></o:p></p><div><p class=MsoNormal><br><br> I am troubleshooting a neutron case. It was just found<br> that if DEBUG was enabled, neutron would print out JSON<br> data with username and password. I am wondering what<br> kind of protocol is used in production environment to<o:p></o:p></p></div><p class=MsoNormal> prevent this security risk from happening.____<br><br> __ __<br><br> Thanks,____<br><br> Hao____<o:p></o:p></p><div><p class=MsoNormal><br><br> _______________________________________________<br> Mailing list:<br> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br> Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'> <mailto:<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>><br> Unsubscribe :<br> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack____" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack____</a><br><br> __ __<br><br> __ __<br><br><br><br><br>_______________________________________________<br>Openstack-security mailing list<br><a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p></blockquote><p class=MsoNormal><o:p> </o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>