Open Stack

All,

During the summit Bryan highlighted the poor SSL implementations being
used in various OpenStack clients, with some doing no verification at all.

Sadly the state of OpenStack internally (where SSL can be enabled) is
often little better. I'm going to start a body of work to navigate through
the code and check exactly what is (or isn't) enabled for each SSL
interface on offer.

I'm planning on checking the ability to execute a wide range of controls
because we want this 'enhanced' level of security on some particular
interfaces.

(For each interface)
Fundamental:
	* Certificate provided is signed by a CA that the client recognises as a
valid trust anchor
	* Certificate is in-date
	* No support for known-poor algorithms
	* Service offering SSL cannot be forced into plaintext
	* SSLv3 TLSv1 Minimum

Standard:
	* Revocation information is checked (CRL/OCSP)
	* CNAME is valid for the server
	
Enhanced:
	* Support only for strongest available algorithms
	* X.509v3 Extended Key Usage flags OID verified
	* Client Certificates have Role-Specific CNAME and verification is
supported

Please comment or add things to the list, also if you've already done some
similar work please drop me a line so I can include your results.

Finally, if you want to help do some of this please feel free!

-Rob