[Openstack] [Openstack-security] API Security

Hao Wang hao.1.wang at gmail.com
Tue Apr 29 15:03:33 UTC 2014


SSL terminator will terminates at the network boundary. I am thinking if
the crackers can figure out a way to sneak into the internal network and
capture all the sensitive information still. Is this a concern for a
private cloud?


On Tue, Apr 29, 2014 at 10:39 AM, Rob Crittenden <rcritten at redhat.com>wrote:

> Hao Wang wrote:
>
>> Thanks. It makes sense. The other questions are, would Heartbleed be a
>> potential risk? Which solution is being used in OpenStack SSL?
>>
>
> Native SSL services (eventlet) are based on OpenSSL, as is Apache
> (horizon) so yes, the risk is there if you haven't updated your OpenSSL
> libraries.
>
> The general consensus however is to use SSL terminators rather than
> enabling SSL in the endpoints directly. You'd need to investigate the SSL
> library in the terminator you choose, though it would likely be OpenSSL.
>
> Check this out as well, https://blog-nkinder.rhcloud.com/?p=7
>
> rob
>
>
>>
>> On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham
>> <robert.clark at hp.com <mailto:robert.clark at hp.com>> wrote:
>>
>>     This is why any production API servers should all be running TLS/SSL
>>     – to protect the confidentiality of messages in flight.____
>>
>>     __ __
>>
>>
>>     There have been efforts to remove sensitive information from logs,
>>     I’m a little surprised that passwords are logged in Neutron.____
>>
>>     __ __
>>
>>     *From:*Hao Wang [mailto:hao.1.wang at gmail.com
>>     <mailto:hao.1.wang at gmail.com>]
>>     *Sent:* 29 April 2014 14:06
>>     *To:* openstack-security at lists.openstack.org
>>     <mailto:openstack-security at lists.openstack.org>
>>     *Cc:* openstack; Aaron Knister
>>     *Subject:* Re: [Openstack-security] [Openstack] API Security____
>>
>>     __ __
>>
>>     Adding security group...____
>>
>>     __ __
>>
>>
>>     On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <hao.1.wang at gmail.com
>>     <mailto:hao.1.wang at gmail.com>> wrote:____
>>
>>         It is the client. I got this message with DEBUG enabled:____
>>
>>
>>         curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H
>>         "Content-Type: application/json" -H "Accept: application/json"
>>         -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName":
>>         "admin", "passwordCredentials": {"username": "admin",
>>         "password": "admin"}}}'____
>>
>>         __ __
>>
>>
>>         It can be seen that username and password are right in the
>>         message.____
>>
>>         __ __
>>
>>         Hao____
>>
>>         __ __
>>
>>
>>         On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister
>>         <aaron.knister at gmail.com <mailto:aaron.knister at gmail.com>>
>>         wrote:____
>>
>>
>>             Was it the client or the server that exposed the credentials?
>>
>>             Sent from my iPhone____
>>
>>
>>
>>             On Apr 26, 2014, at 2:28 PM, Hao Wang <hao.1.wang at gmail.com
>>             <mailto:hao.1.wang at gmail.com>> wrote:____
>>
>>                 Hi,____
>>
>>                 __ __
>>
>>
>>                 I am troubleshooting a neutron case. It was just found
>>                 that if DEBUG was enabled, neutron would print out JSON
>>                 data with username and password. I am wondering what
>>                 kind of protocol is used in production environment to
>>                 prevent this security risk from happening.____
>>
>>                 __ __
>>
>>                 Thanks,____
>>
>>                 Hao____
>>
>>
>>                 _______________________________________________
>>                 Mailing list:
>>                 http://lists.openstack.org/cgi-bin/mailman/listinfo/
>> openstack
>>                 Post to     : openstack at lists.openstack.org
>>                 <mailto:openstack at lists.openstack.org>
>>                 Unsubscribe :
>>                 http://lists.openstack.org/cgi-bin/mailman/listinfo/
>> openstack____
>>
>>         __ __
>>
>>     __ __
>>
>>
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/1c052535/attachment.html>


More information about the Openstack mailing list