[Openstack] [OSSG][OSSN] Some SSL-Enabled connections fail to perform basic certificate checks

Clark, Robert Graham robert.clark at hp.com
Thu Sep 19 17:28:30 UTC 2013 

Some SSL-Enabled connections fail to perform basic certificate checks
----

### Summary ###
In many places OpenStack components use Python 2.x HTTPSConnection to
establish an SSL connection between endpoints. This does not provide
many of the assurances one would expect when using SSL and leaves
connections open to potential man-in-the-middle attacks

### Affected Services / Software ###
keystone/middleware/s3_token.py
keystone/middleware/ec2_token.py
keystone/common/bufferedhttp.py
vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token
.py

### Discussion ###
A secure SSL session relies on validation of a X.509 certificate. Basic
checks include:
* Is the certificate signed by a CA I recognize
* Has the CA revoked this certificate
* Does the common name on the certificate match the server I'm trying to
reach

The HTTPSConnection class is used in a large number of locations and
fails to check that certificates are signed by a valid authority.
Without that check in place, the following checks (some highlighted
above) are largely invalid.

The result is that an attacker who has access to the network traffic
between two endpoints relying on HTTPSConnection can trivially create a
certificate that will be accepted by HTTPSConnection as valid - allowing
the attacker to intercept, read and modify traffic that should be
encrypted by SSL.

### Recommended Actions ###
Some projects have updated their code to be more secure, others have
not. The OSSG suggest cloud deployers check the status of bug
https://bugs.launchpad.net/ossn/+bug/1188189 to see if the projects they
require have updated.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1188189
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130919/eef04da2/attachment.bin>

More information about the Openstack mailing list