[Openstack-security] [Bug 1436082] Re: VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection

Ian Cordasco icordasc+launchpad at coglib.com
Fri Jun 12 17:52:52 UTC 2015 

** Also affects: ossn
   Importance: Undecided
       Status: New

** Changed in: ossn
     Assignee: (unassigned) => Ian Cordasco (icordasc)

** Changed in: ossn
       Status: New => In Progress

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1436082

Title:
  VMWare and HTTP stores do not verify HTTPS Connections as they use
  httplib.HTTPSConnection

Status in OpenStack Glance backend store-drivers library (glance_store):
  In Progress
Status in OpenStack Security Notes:
  In Progress

Bug description:
  VMWare store:
  https://github.com/openstack/glance_store/blob/ea88e503b617a7ac9a0ae7e537d6517e9992a104/glance_store/_drivers/vmware_datastore.py#L501
  (_get_conn_class above uses simply httplib.HTTPSConnection).

  HTTP Store:
  https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/http.py#L179

  This leaves both stores open to man-in-the-middle attacks while
  transferring image data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance-store/+bug/1436082/+subscriptions

More information about the Openstack-security mailing list