[Openstack-security] [OSSN][DRAFT]Some SSL-Enabled connections fail to perform basic certificate checks

Clark, Robert Graham robert.clark at hp.com
Fri Aug 16 17:53:37 UTC 2013 

It'd be great if you could take a run at it, I've been holding them back
to try and get more OSSG involvement.

Cheers
-Rob

On 15/08/2013 09:40, "Bhandaru, Malini K" <malini.k.bhandaru at intel.com>
wrote:

>Has anyone started working on this? If not, I shall. Sorry Rob for the
>delay.
>Malini
>
>-----Original Message-----
>From: Clark, Robert Graham [mailto:robert.clark at hp.com]
>Sent: Wednesday, August 07, 2013 5:22 AM
>To: openstack-security at lists.openstack.org
>Subject: [Openstack-security] [OSSN][DRAFT]Some SSL-Enabled connections
>fail to perform basic certificate checks
>
>Guys, can someone please add some content to this, I'm drafting up a few
>others today...
>
>Some SSL-Enabled connections fail to perform basic certificate checks
>----
>
>### Summary ###
>In many places OpenStack components use Python 2.x HTTPSConnection to
>establish an SSL connection between endpoints. This does not provide many
>of the assurances one would expect when using SSL and leaves connections
>open to potential man-in-the-middle attacks
>
>### Affected Services / Software ###
>keystone/middleware/s3_token.py
>keystone/middleware/ec2_token.py
>keystone/common/bufferedhttp.py
>vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token
>.py
><<<<OTHERS NEED TO BE ADDED HERE>>>>>
>
>### Discussion ###
>A secure SSL session relies on validation of a X.509 certificate. Basic
>checks include:
>* Is the certificate signed by a CA I recognize
>* Has the CA revoked this certificate
>* Does the common name on the certificate match the server I'm trying to
>reach
>
>The HTTPSConnection class is used in a large number of locations and
>fails to check that certificates are signed by a valid authority.
>Without that check in place, the following checks (some highlighted
>above) are largely invalid.
>
>The result is that an attacker who has access to the network traffic
>between two endpoints relying on HTTPSConnection can trivially create a
>certificate that will be accepted by HTTPSConnection as valid - allowing
>the attacker to intercept, read and modify traffic that should be
>encrypted by SSL.
>
>### Recommended Actions ###
><<<< MORE INVESTIGATION REQUIRED here on short-long term options >>>>
>
>### Contacts / References ###
>This OSSN : https://bugs.launchpad.net/ossn/+bug/1188189
>OpenStack Security ML : openstack-security at lists.openstack.org
>OpenStack Security Group : https://launchpad.net/~openstack-ossg

More information about the Openstack-security mailing list