SSL Version and cipher selection not possible
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Won't Fix
|
Undecided
|
Unassigned | ||
Glance |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Compute (nova) |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Identity (keystone) |
Won't Fix
|
Wishlist
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
We configure keystone to use SSL always. Due to the poodle issue, I was trying to configure keystone to disable SSLv3 completely.
http://
https:/
It seems that keystone has no support for configring SSL versions, nor ciphers.
If I'm not mistaken the relevant code is in the start function in
common/
It calls
eventlet.wrap_ssl
but with no SSL version nor cipher options. Since the interface is identical, I assume it uses ssl.wrap_socket. The default here seems to be PROTOCOL_SSLv23 (SSL2 disabled), which would make this vulnerable to the poodle issue.
SSL conifgs should probably be possible to be set in the config file (with sane defaults), so that current and newly detected weak ciphers can be disabled without code changes.
Changed in ossa: | |
status: | New → Incomplete |
information type: | Private Security → Public |
tags: | added: security |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
importance: | Medium → Wishlist |
Changed in keystone: | |
status: | Confirmed → Won't Fix |
Changed in cinder: | |
status: | New → Won't Fix |
Changed in glance: | |
status: | New → Won't Fix |
Thanks for the report! The OSSA task is set to Incomplete pending additional security detail.
This may not constitute a vulnerability as is but more a lack of a security hardening mechanism (which could be implemented publicly).
Also I believe this is also the case for most (if not all) OpenStack projects...