[Openstack] [Openstack-security] API Security

Clark, Robert Graham robert.clark at hp.com
Tue Apr 29 14:41:38 UTC 2014 

I'd say the top three terminators in use today are probably Stunnel,
Stud and Pound - all rely on OpenSSL. I'm sure there's a plethora of
alternatives but I'd imagine most are OpenSSL based, the most likely
alternative being NSS which is a big library to use for something like a
terminator.

> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: 29 April 2014 15:39
> To: Hao Wang; Clark, Robert Graham
> Cc: openstack-security at lists.openstack.org; openstack; Aaron Knister
> Subject: Re: [Openstack-security] [Openstack] API Security
> 
> Hao Wang wrote:
> > Thanks. It makes sense. The other questions are, would Heartbleed be
a
> > potential risk? Which solution is being used in OpenStack SSL?
> 
> Native SSL services (eventlet) are based on OpenSSL, as is Apache
> (horizon) so yes, the risk is there if you haven't updated your
OpenSSL
> libraries.
> 
> The general consensus however is to use SSL terminators rather than
> enabling SSL in the endpoints directly. You'd need to investigate the
SSL
> library in the terminator you choose, though it would likely be
OpenSSL.
> 
> Check this out as well, https://blog-nkinder.rhcloud.com/?p=7
> 
> rob
> 
> >
> >
> > On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham
> > <robert.clark at hp.com <mailto:robert.clark at hp.com>> wrote:
> >
> >     This is why any production API servers should all be running
TLS/SSL
> >     - to protect the confidentiality of messages in flight.____
> >
> >     __ __
> >
> >     There have been efforts to remove sensitive information from
logs,
> >     I'm a little surprised that passwords are logged in Neutron.____
> >
> >     __ __
> >
> >     *From:*Hao Wang [mailto:hao.1.wang at gmail.com
> >     <mailto:hao.1.wang at gmail.com>]
> >     *Sent:* 29 April 2014 14:06
> >     *To:* openstack-security at lists.openstack.org
> >     <mailto:openstack-security at lists.openstack.org>
> >     *Cc:* openstack; Aaron Knister
> >     *Subject:* Re: [Openstack-security] [Openstack] API Security____
> >
> >     __ __
> >
> >     Adding security group...____
> >
> >     __ __
> >
> >     On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <hao.1.wang at gmail.com
> >     <mailto:hao.1.wang at gmail.com>> wrote:____
> >
> >         It is the client. I got this message with DEBUG enabled:____
> >
> >         curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H
> >         "Content-Type: application/json" -H "Accept:
application/json"
> >         -H "User-Agent: python-novaclient" -d '{"auth":
{"tenantName":
> >         "admin", "passwordCredentials": {"username": "admin",
> >         "password": "admin"}}}'____
> >
> >         __ __
> >
> >         It can be seen that username and password are right in the
> >         message.____
> >
> >         __ __
> >
> >         Hao____
> >
> >         __ __
> >
> >         On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister
> >         <aaron.knister at gmail.com <mailto:aaron.knister at gmail.com>>
> >         wrote:____
> >
> >             Was it the client or the server that exposed the
credentials?
> >
> >             Sent from my iPhone____
> >
> >
> >             On Apr 26, 2014, at 2:28 PM, Hao Wang
<hao.1.wang at gmail.com
> >             <mailto:hao.1.wang at gmail.com>> wrote:____
> >
> >                 Hi,____
> >
> >                 __ __
> >
> >                 I am troubleshooting a neutron case. It was just
found
> >                 that if DEBUG was enabled, neutron would print out
JSON
> >                 data with username and password. I am wondering what
> >                 kind of protocol is used in production environment
to
> >                 prevent this security risk from happening.____
> >
> >                 __ __
> >
> >                 Thanks,____
> >
> >                 Hao____
> >
> >                 _______________________________________________
> >                 Mailing list:
> >
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >                 Post to     : openstack at lists.openstack.org
> >                 <mailto:openstack at lists.openstack.org>
> >                 Unsubscribe :
> >
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack____
> >
> >         __ __
> >
> >     __ __
> >
> >
> >
> >
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org
> >
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/c9f6b0ed/attachment.bin>

More information about the Openstack mailing list