API Server doesn't validate client ssl certificate

Bug #1032451 reported by Brian Waldon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
High
Brian Waldon

Bug Description

The ssl-wrapped socket returned by glance.common.wsgi:get_socket doesn't appear to validate client-provided certs. Somebody should first verify that this is true. Assuming it is true, we should provide a way for deployers to require client certs be provided/validated when Glance is deployed using SSL.

Revision history for this message
Brian Waldon (bcwaldon) wrote :

I confirmed this, I can send self-signed certs and the server doesn't care. Fix will be up shortly.

no longer affects: glance/folsom
Changed in glance:
milestone: none → folsom-3
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10787

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/10787
Committed: http://github.com/openstack/glance/commit/006254c5050176c9b569007f6ef7203e6067215d
Submitter: Jenkins
Branch: master

commit 006254c5050176c9b569007f6ef7203e6067215d
Author: Brian Waldon <email address hidden>
Date: Fri Aug 3 10:56:06 2012 -0700

    Allow server-side validation of client ssl certs

    This adds a 'ca_file' config option that points to a local
    CA cert that will be used to verify certs provided by
    connecting clients. The 'ca_file' option is only used if the
    server is already properly configured to to use SSL - that
    means having a valid 'cert_file' and 'key_file'. If no 'ca_file'
    is provided, the behavior will remain the same - the server
    will still provide its cert to clients, but it will ignore
    certs sent back from those clients.

    Fixes bug 1032451

    Change-Id: Ie48646b0fc5398ba7cda2fb627b820f533482e00

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.