OpenStack services do not disable SSLv2 / v3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned | ||
Glance |
New
|
Undecided
|
Unassigned | ||
OpenStack Compute (nova) |
New
|
Undecided
|
Unassigned | ||
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
OpenStack services use generally code similar to this for enabling SSL support in the API servers:
This does not set the ssl_version option, and Python versions older than 2.7.8 generally allow protocol downgrades to SSLv2 with this, and SSLv3 as well. With the POODLE: SSLv3 vulnerability (CVE-2014-3566), it is generally considered deprecated to allow a protocol downgrade to SSLv2 and SSLv3.
Therefore we need to enforce the use of TLSv1 and newer. Unfortunatley the python ssl module only gained full support for this with python 2.7.9, so for older versions the only sane way is to force TLSv1 (since it does not support tlsv1.1 or newer there).
I made an example patch:
--- a/keystone/
+++ b/keystone/
@@ -122,9 +122,18 @@ class Server(object):
else:
+ # Disable SSLv2 and v3 as they're generally insecure
+ ssl_version = ssl.PROTOCOL_TLSv1
+ # Python 2.7.9 and newer offer these options
+ if (getattr(ssl, 'OP_NO_SSLv2', False) and
+ getattr(ssl, 'OP_NO_SSLv3', False)):
+ ssl_version = \
+ ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+
+ ssl_version=
for keystone, but it affects all other services as well. If you agree I'll push this as a public review, I don't know how to do a private review.
information type: | Private Security → Public |
Dupe of bug 1381365? (I'm also not sure if there's a special process for duplicate security-related issues?)