[Openstack] [Openstack-security] API Security

Clark, Robert Graham robert.clark at hp.com
Tue Apr 29 15:15:59 UTC 2014 

You can terminate SSL anywhere, it doesn’t have to be at the boundary necessarily. Many larger deployments will utilize hardware terminators at the network edge and then internally use software based terminators (like Stunnel).

 

There’s a growing effort to use SSL everywhere, I can second Rob Crittenden’s comments – check out Nathan Kinders blog entry on the topic https://blog-nkinder.rhcloud.com/?p=7

 

From: Hao Wang [mailto:hao.1.wang at gmail.com] 
Sent: 29 April 2014 16:04
To: Rob Crittenden
Cc: Clark, Robert Graham; openstack-security at lists.openstack.org; openstack; Aaron Knister
Subject: Re: [Openstack-security] [Openstack] API Security

 

SSL terminator will terminates at the network boundary. I am thinking if the crackers can figure out a way to sneak into the internal network and capture all the sensitive information still. Is this a concern for a private cloud?

 

On Tue, Apr 29, 2014 at 10:39 AM, Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com> > wrote:

Hao Wang wrote:

Thanks. It makes sense. The other questions are, would Heartbleed be a
potential risk? Which solution is being used in OpenStack SSL?

 

Native SSL services (eventlet) are based on OpenSSL, as is Apache (horizon) so yes, the risk is there if you haven't updated your OpenSSL libraries.

The general consensus however is to use SSL terminators rather than enabling SSL in the endpoints directly. You'd need to investigate the SSL library in the terminator you choose, though it would likely be OpenSSL.

Check this out as well, https://blog-nkinder.rhcloud.com/?p=7

rob



On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham

<robert.clark at hp.com <mailto:robert.clark at hp.com>  <mailto:robert.clark at hp.com <mailto:robert.clark at hp.com> >> wrote:

    This is why any production API servers should all be running TLS/SSL

    – to protect the confidentiality of messages in flight.____

    __ __



    There have been efforts to remove sensitive information from logs,

    I’m a little surprised that passwords are logged in Neutron.____

    __ __

    *From:*Hao Wang [mailto:hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> 
    <mailto:hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> >]
    *Sent:* 29 April 2014 14:06
    *To:* openstack-security at lists.openstack.org <mailto:openstack-security at lists.openstack.org> 
    <mailto:openstack-security at lists.openstack.org <mailto:openstack-security at lists.openstack.org> >
    *Cc:* openstack; Aaron Knister
    *Subject:* Re: [Openstack-security] [Openstack] API Security____

    __ __

    Adding security group...____

    __ __



    On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> 

    <mailto:hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> >> wrote:____

        It is the client. I got this message with DEBUG enabled:____



        curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H
        "Content-Type: application/json" -H "Accept: application/json"
        -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName":
        "admin", "passwordCredentials": {"username": "admin",

        "password": "admin"}}}'____

        __ __



        It can be seen that username and password are right in the

        message.____

        __ __

        Hao____

        __ __



        On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister

        <aaron.knister at gmail.com <mailto:aaron.knister at gmail.com>  <mailto:aaron.knister at gmail.com <mailto:aaron.knister at gmail.com> >>
        wrote:____



            Was it the client or the server that exposed the credentials?

            Sent from my iPhone____




            On Apr 26, 2014, at 2:28 PM, Hao Wang <hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> 

            <mailto:hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> >> wrote:____

                Hi,____

                __ __



                I am troubleshooting a neutron case. It was just found
                that if DEBUG was enabled, neutron would print out JSON
                data with username and password. I am wondering what
                kind of protocol is used in production environment to

                prevent this security risk from happening.____

                __ __

                Thanks,____

                Hao____



                _______________________________________________
                Mailing list:
                http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
                Post to     : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org> 

                <mailto:openstack at lists.openstack.org <mailto:openstack at lists.openstack.org> >
                Unsubscribe :
                http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack____

        __ __

    __ __




_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org <mailto:Openstack-security at lists.openstack.org> 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/e2e44718/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/e2e44718/attachment.bin>

More information about the Openstack mailing list