OpenStack Compute (nova)

EC2 keystone auth token is using unsafe SSL connection

Bug #1373992 reported by Sean Dague
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Critical
melanie witt
OpenStack Compute (nova) 2015.1.0 "kilo"

Bug Description

EC2KeystoneAuth uses httplib.HTTPSConnection objects. In Python 2.x those do not perform CA checks so client connections are vulnerable to MiM attacks.

This should use requests instead, and pick up the local cacert params if needed.

Tags: ec2
Sean Dague (sdague)
Changed in nova:
status: New → Triaged
importance: Undecided → Critical
tags: added: ec2
melanie witt (melwitt)
Changed in nova:
assignee: nobody → melanie witt (melwitt)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/124296

Changed in nova:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/124296
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cff14b3763df7515405552b56e96f11765c56c74
Submitter: Jenkins
Branch: master

commit cff14b3763df7515405552b56e96f11765c56c74
Author: melanie witt <email address hidden>
Date: Fri Sep 26 05:15:16 2014 +0000

    replace httplib.HTTPSConnection in EC2KeystoneAuth

    httplib.HTTPSConnection is known to not verify SSL certificates
    in Python 2.x. This change replaces use of httplib.HTTPSConnection
    with the requests module. It imports config settings related to SSL
    verification: ssl.key_file, ssl.cert_file, and ssl.ca_file. It also
    adds one config setting: keystone_ec2_insecure. By default, SSL
    verification is on, but can be disabled by setting:

    keystone_ec2_insecure=true

    This patch is based on the keystone middleware ec2 token patch:

    https://review.openstack.org/#/c/76476

    SecurityImpact
    DocImpact
    Closes-Bug: #1373992

    Change-Id: I8e46d41164e9478b820cad569ba82f25de244620

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.