[Openstack-security] [Bug 1381365] Related fix merged to keystone (master)

OpenStack Infra 1381365 at bugs.launchpad.net
Tue Apr 7 14:05:18 UTC 2015 

Reviewed:  https://review.openstack.org/171001
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d4a6db158e3118181ae9d96a03832c49ff8998f
Submitter: Jenkins
Branch:    master

commit 1d4a6db158e3118181ae9d96a03832c49ff8998f
Author: Morgan Fainberg <morgan.fainberg at gmail.com>
Date:   Mon Apr 6 15:41:29 2015 -0700

    Skip SSL tests because some platforms do not enable SSLv3
    
    For "damned good security reasons" (POODLE) some platforms have
    patched out SSLv3 from OpenSSL. Because Evenetlet cannot be configured
    for specific versions (or ciphers) and httplib is extremely limited,
    the tests for SSL have been explicitly skipped. These tests should
    be potentially re-enabled in the functional suite for SSL terminated
    endpoints.
    
    This comes back to "do not terminate SSL in the eventlet wsgi" that
    was determined in bug 1381365.
    
    Change-Id: Ic4b446ceee9034de5b6530c2d79d798a903fcbbf
    Related-Bug: #1381365
    Closes-Bug: #1435174

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381365

Title:
  SSL Version and cipher selection not possible

Status in Cinder:
  New
Status in OpenStack Image Registry and Delivery Service (Glance):
  New
Status in OpenStack Identity (Keystone):
  Won't Fix
Status in OpenStack Compute (Nova):
  Won't Fix
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  We configure keystone to use SSL always. Due to the poodle issue, I was trying to configure keystone to disable SSLv3 completely. 
  http://googleonlinesecurity.blogspot.fi/2014/10/this-poodle-bites-exploiting-ssl-30.html
  https://www.openssl.org/~bodo/ssl-poodle.pdf

  It seems that keystone has no support for configring SSL versions, nor
  ciphers.

  If I'm not mistaken the relevant code is in the start function in
  common/environment/eventlet_server.py

  It calls 
  eventlet.wrap_ssl
  but with no SSL version nor cipher options. Since the interface is identical, I assume it uses ssl.wrap_socket. The default here seems to be  PROTOCOL_SSLv23 (SSL2 disabled), which would make this vulnerable to the poodle issue.

  SSL conifgs should probably be possible to be set in the config file
  (with sane defaults), so that current and newly detected weak ciphers
  can be disabled without code changes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1381365/+subscriptions

More information about the Openstack-security mailing list