OpenStack Compute (nova)

vmware driver does not validate server certificates

Bug #1276207 reported by Eric Brown on 2014-02-04

This bug affects 3 people

	Status	Importance	Assigned to	Milestone
Ceilometer	Fix Released	Medium	Eric Brown	Ceilometer 5.0.0 "liberty"
Cinder	Fix Released	Medium	Vipin Balachandran	Cinder 7.0.0 "liberty"
Glance	New	Undecided	Johnson koil raj
OpenStack Compute (nova)	Fix Released	Medium	Radoslav Gerganov	OpenStack Compute (nova) 12.0.0 "liberty"
oslo.vmware	Fix Released	Medium	Unassigned	oslo.vmware 0.10.0

Bug Description

The VMware driver establishes connections to vCenter over HTTPS, yet the vCenter server certificate is not verified as part of the connection process. I know this because my vCenter server is using a self-signed certificate which always fails certification verification. As a result, someone could use a man-in-the-middle attack to spoof the vcenter host to nova.

The vmware driver has a dependency on Suds, which I believe also does not validate certificates because hartsock and I noticed it uses urllib.

For reference, here is a link on secure connections in OpenStack:
https://wiki.openstack.org/wiki/SecureClientConnections

Assuming Suds is fixed to provide an option for certificate verification, next step would be to modify the vmware driver to provide an option to override invalid certificates (such as self-signed). In other parts of OpenStack, there are options to bypass the certificate check with a "insecure" option set, or you could put the server's certificate in the CA store.

Tags:

Eric Brown (ericwb) on 2014-02-06

Changed in nova:
assignee:	nobody → Eric Brown (ericwb)

Revision history for this message

Eric Brown (ericwb) wrote on 2014-02-07:

Opened a bug on pyvmomi - one of the future dependencies.
https://github.com/vmware/pyvmomi/issues/13

Revision history for this message

Eric Brown (ericwb) wrote on 2014-02-07:

Opened a bug on Suds:
https://github.com/pik4ez/python-suds/issues/2

Changed in nova:
status:	New → In Progress

Revision history for this message

Visnusaran Murugan (visnusaran-murugan) wrote on 2014-02-10:

Can be achieved be overriding suds transport to use requests library.

Shawn Hartsock (hartsock) on 2014-02-11

Changed in nova:
importance:	Undecided → Medium
milestone:	none → icehouse-3
milestone:	icehouse-3 → next

John Garbutt (johngarbutt) on 2014-03-05

Changed in nova:
milestone:	next → none

Eric Brown (ericwb) on 2014-05-28

Changed in nova:
assignee:	Eric Brown (ericwb) → nobody
status:	In Progress → Confirmed

Johnson koil raj (jjohnsonkoilraj) on 2014-07-31

Changed in cinder:
assignee:	nobody → Johnson koil raj (jjohnsonkoilraj)

Vipin Balachandran (vbala) on 2014-08-01

Changed in cinder:
importance:	Undecided → Low
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-01: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/111226

Changed in cinder:
status:	Confirmed → In Progress

Mike Perez (thingee) on 2014-08-07

tags:

added: drivers

Revision history for this message

Yalu Bai (yalu0311) wrote on 2014-08-13: Re: [Bug 1276207] Re: vmware driver does not validate server certificates

i am so sorry,your comany's service isn't not well within my ISP,i compared
to other vpn providers,their service in my enviroment is very well,the
speed of connectivity is just three or five seconds ,but your service
commonly is three or five minutes,worsely can not connected to servers ,so
i insist on refunding ,please don't find any reason to answer me ,have no
relationship with the config or other reason,but the network your compnay
provided ,so don't delay the date to refund ,because several time's round
,the time is over ,so ,please deal with my refund ,thanks !

2014-08-13 3:06 GMT+08:00 Davanum Srinivas (DIMS) <email address hidden>:

> ** Also affects: oslo.vmware
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> Matching subscriptions: clearity
> https://bugs.launchpad.net/bugs/1276207
>
> Title:
> vmware driver does not validate server certificates
>
> Status in Cinder:
> In Progress
> Status in OpenStack Compute (Nova):
> Confirmed
> Status in Oslo VMware library for OpenStack projects:
> New
>
> Bug description:
> The VMware driver establishes connections to vCenter over HTTPS, yet
> the vCenter server certificate is not verified as part of the
> connection process. I know this because my vCenter server is using a
> self-signed certificate which always fails certification verification.
> As a result, someone could use a man-in-the-middle attack to spoof the
> vcenter host to nova.
>
> The vmware driver has a dependency on Suds, which I believe also does
> not validate certificates because hartsock and I noticed it uses
> urllib.
>
> For reference, here is a link on secure connections in OpenStack:
> https://wiki.openstack.org/wiki/SecureClientConnections
>
> Assuming Suds is fixed to provide an option for certificate
> verification, next step would be to modify the vmware driver to
> provide an option to override invalid certificates (such as self-
> signed). In other parts of OpenStack, there are options to bypass the
> certificate check with a "insecure" option set, or you could put the
> server's certificate in the CA store.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1276207/+subscriptions
>

2014-08-13 3:06 GMT+08:00 Davanum Srinivas (DIMS) <davanum@gmail.com>:

> ** Also affects: oslo.vmware
>    Importance: Undecided
>        Status: New
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> Matching subscriptions: clearity
> https://bugs.launchpad.net/bugs/1276207
>
> Title:
>   vmware driver does not validate server certificates
>
> Status in Cinder:
>   In Progress
> Status in OpenStack Compute (Nova):
>   Confirmed
> Status in Oslo VMware library for OpenStack projects:
>   New
>
> Bug description:
>   The VMware driver establishes connections to vCenter over HTTPS, yet
>   the vCenter server certificate is not verified as part of the
>   connection process.  I know this because my vCenter server is using a
>   self-signed certificate which always fails certification verification.
>   As a result, someone could use a man-in-the-middle attack to spoof the
>   vcenter host to nova.
>
>   The vmware driver has a dependency on Suds, which I believe also does
>   not validate certificates because hartsock and I noticed it uses
>   urllib.
>
>   For reference, here is a link on secure connections in OpenStack:
>   https://wiki.openstack.org/wiki/SecureClientConnections
>
>   Assuming Suds is fixed to provide an option for certificate
>   verification, next step would be to modify the vmware driver to
>   provide an option to override invalid certificates (such as self-
>   signed).  In other parts of OpenStack, there are options to bypass the
>   certificate check with a "insecure" option set, or you could put the
>   server's certificate in the CA store.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1276207/+subscriptions
>

Davanum Srinivas (DIMS) (dims-v) on 2014-09-23

Changed in oslo.vmware:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-17: Change abandoned on cinder (master)

Change abandoned by Mike Perez (<email address hidden>) on branch: master
Review: https://review.openstack.org/111226

Davanum Srinivas (DIMS) (dims-v) on 2014-12-04

Changed in oslo.vmware:
status:	Confirmed → Fix Committed

Johnson koil raj (jjohnsonkoilraj) on 2015-01-30

Changed in nova:
status:	Confirmed → Fix Released

Doug Hellmann (doug-hellmann) on 2015-02-23

Changed in oslo.vmware:
milestone:	none → 0.10.0
status:	Fix Committed → Fix Released

Johnson koil raj (jjohnsonkoilraj) on 2015-02-24

Changed in cinder:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-04: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/179728

Radoslav Gerganov (rgerganov) on 2015-05-04

Changed in nova:
status:	Fix Released → Confirmed
assignee:	nobody → Radoslav Gerganov (rgerganov)

Vipin Balachandran (vbala) on 2015-05-04

Changed in cinder:
status:	Fix Released → Confirmed
assignee:	Johnson koil raj (jjohnsonkoilraj) → Vipin Balachandran (vbala)
importance:	Low → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-04: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/179753

Changed in cinder:
status:	Confirmed → In Progress

Vipin Balachandran (vbala) on 2015-05-04

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-04: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/179753
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=39478338bb4a1cbd625a6176d4403bb34a2a0630
Submitter: Jenkins
Branch: master

commit 39478338bb4a1cbd625a6176d4403bb34a2a0630
Author: Vipin Balachandran <email address hidden>
Date: Mon May 4 16:13:41 2015 +0530

VMware: Enable vCenter certificate verification

    Currently vCenter certificate is not verified during connection
    establishment. This patch adds a config option to specify a CA
    bundle file to verify vCenter server certificate.

DocImpact

Change-Id: Ida730db66b154a4d445f7a91bccb9ca5b5a26f5e
Closes-Bug: #1276207

Changed in cinder:
status:	In Progress → Fix Committed

Eric Brown (ericwb) on 2015-05-05

Changed in ceilometer:
assignee:	nobody → Eric Brown (ericwb)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-05: Fix proposed to ceilometer (master)

#10

Fix proposed to branch: master
Review: https://review.openstack.org/180266

Changed in ceilometer:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-06: Fix merged to ceilometer (master)

#11

Reviewed: https://review.openstack.org/180266
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=2f4ff42a9257a51ca807ac534ca3e598e627a959
Submitter: Jenkins
Branch: master

commit 2f4ff42a9257a51ca807ac534ca3e598e627a959
Author: Eric Brown <email address hidden>
Date: Tue May 5 11:38:49 2015 -0700

VMware: verify vCenter server certificate

Two configuration properties are being added:

'ca_file': Specify a CA bundle file to use in verifying the vCenter
server certificate

    'insecure': If true, the vCenter server certificate is not verified.
    If false, then the default CA truststore is used for verification.
    This option is ignored if 'ca_file' is set.

Closes-Bug: #1276207

DocImpact

Change-Id: I8f408308cddbb40b19e8dc9fce6ff02745d963b8

Changed in ceilometer:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-16: Fix merged to nova (master)

#12

Reviewed: https://review.openstack.org/179728
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=823766637d2cdd45df75716553656e4650cb49ec
Submitter: Jenkins
Branch: master

commit 823766637d2cdd45df75716553656e4650cb49ec
Author: Radoslav Gerganov <email address hidden>
Date: Mon May 4 11:18:58 2015 +0300

VMware: verify vCenter server certificate

    Two configuration properties are being added:
    'ca_file': Specify a CA bundle file to use in verifying the vCenter
    server certificate
    'insecure': If true, the vCenter server certificate is not verified.
    If false, then the default CA truststore is used for verification.
    This option is ignored if 'ca_file' is set.

Closes-Bug: #1276207

DocImpact

Change-Id: I86a04fbd70f726206ddd95caf87685f3559d2ad8

Changed in nova:
status:	In Progress → Fix Committed

ZhiQiang Fan (aji-zqfan) on 2015-06-17

Changed in ceilometer:
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2015-06-23

Changed in ceilometer:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-06-23

Changed in cinder:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-06-24

Changed in nova:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in nova:
milestone:	liberty-1 → 12.0.0

Thierry Carrez (ttx) on 2015-10-15

Changed in ceilometer:
milestone:	liberty-1 → 5.0.0

Thierry Carrez (ttx) on 2015-10-15

Changed in cinder:
milestone:	liberty-1 → 7.0.0

Johnson koil raj (jjohnsonkoilraj) on 2015-10-15

Changed in glance:
assignee:	nobody → Johnson koil raj (jjohnsonkoilraj)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.