[Openstack-security] [Bug 1370283] Re: python-glanceclient uses extremely insecure configurations of OpenSSL
OpenStack Infra
1370283 at bugs.launchpad.net
Mon Feb 23 16:06:56 UTC 2015
Reviewed: https://review.openstack.org/122749
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=9dcf3f16ce1cb7e828ee3d1811bc0ebd44abb106
Submitter: Jenkins
Branch: master
commit 9dcf3f16ce1cb7e828ee3d1811bc0ebd44abb106
Author: Stuart McLaren <stuart.mclaren at hp.com>
Date: Fri Sep 19 14:25:10 2014 +0000
Reduce the set of supported client SSL ciphers
python-glanceclient (like, for example, curl) can advertise the default
set of supported OpenSSL ciphers in its ClientHello packet.
This patches reduces that to a stronger subset.
Change-Id: I7c30465e79d8a32f43458cd6253a98fcf067dc38
Closes-bug: #1370283
** Changed in: python-glanceclient
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1370283
Title:
python-glanceclient uses extremely insecure configurations of OpenSSL
Status in OpenStack Security Advisories:
Won't Fix
Status in Python client library for Glance:
Fix Committed
Bug description:
glanceclient does not properly configure OpenSSL, which results in
making TLS connections which allow extremely bad security settings.
Specifically it allows SSLv2, and many insecure ciphersuites. From
Ubuntu 14.04:
>>> import pprint; import glanceclient.common.http; pprint.pprint(glanceclient.common.http.HTTPClient('https://', ssl_compression=False).session.get("https://www.howsmyssl.com/a/check").json())
{u'able_to_detect_n_minus_one_splitting': False,
u'beast_vuln': False,
u'ephemeral_keys_supported': True,
u'given_cipher_suites': [u'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384',
u'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
u'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
u'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
u'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA',
u'TLS_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_RSA_WITH_AES_256_CBC_SHA256',
u'TLS_RSA_WITH_AES_256_CBC_SHA',
u'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
u'TLS_DHE_RSA_WITH_SEED_CBC_SHA',
u'TLS_DHE_DSS_WITH_SEED_CBC_SHA',
u'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA',
u'TLS_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_RSA_WITH_AES_128_CBC_SHA',
u'TLS_RSA_WITH_SEED_CBC_SHA',
u'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
u'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',
u'TLS_ECDH_RSA_WITH_RC4_128_SHA',
u'TLS_ECDH_ECDSA_WITH_RC4_128_SHA',
u'TLS_RSA_WITH_RC4_128_SHA',
u'TLS_RSA_WITH_RC4_128_MD5',
u'TLS_DHE_RSA_WITH_DES_CBC_SHA',
u'TLS_DHE_DSS_WITH_DES_CBC_SHA',
u'TLS_RSA_WITH_DES_CBC_SHA',
u'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
u'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
u'TLS_EMPTY_RENEGOTIATION_INFO_SCSV'],
u'insecure_cipher_suites': {u'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_DSS_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_RSA_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_RC4_40_MD5': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption']},
u'rating': u'Bad',
u'session_ticket_supported': True,
u'tls_compression_supported': False,
u'tls_version': u'TLS 1.2',
u'unknown_cipher_suite_supported': False}
I *strongly* recommend just deleting all this code and using requests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1370283/+subscriptions
More information about the Openstack-security
mailing list