OpenStack Identity (keystone)

OpenStack services do not disable SSLv2 / v3

Bug #1382141 reported by Dirk Mueller on 2014-10-16

This bug report is a duplicate of: Bug #1381365: SSL Version and cipher selection not possible. Edit Remove

This bug affects 1 person

	Status	Importance	Assigned to
Cinder	New	Undecided	Unassigned
Glance	New	Undecided	Unassigned
OpenStack Compute (nova)	New	Undecided	Unassigned
OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

OpenStack services use generally code similar to this for enabling SSL support in the API servers:

            dup_socket = eventlet.wrap_ssl(dup_socket, certfile=self.certfile,
                                           keyfile=self.keyfile,
                                           server_side=True,
                                           cert_reqs=cert_reqs,
                                           ca_certs=self.ca_certs)

This does not set the ssl_version option, and Python versions older than 2.7.8 generally allow protocol downgrades to SSLv2 with this, and SSLv3 as well. With the POODLE: SSLv3 vulnerability (CVE-2014-3566), it is generally considered deprecated to allow a protocol downgrade to SSLv2 and SSLv3.

Therefore we need to enforce the use of TLSv1 and newer. Unfortunatley the python ssl module only gained full support for this with python 2.7.9, so for older versions the only sane way is to force TLSv1 (since it does not support tlsv1.1 or newer there).

I made an example patch:

--- a/keystone/common/environment/eventlet_server.py
+++ b/keystone/common/environment/eventlet_server.py
@@ -122,9 +122,18 @@ class Server(object):
else:
cert_reqs = ssl.CERT_NONE

+ # Disable SSLv2 and v3 as they're generally insecure
+ ssl_version = ssl.PROTOCOL_TLSv1
+ # Python 2.7.9 and newer offer these options
+ if (getattr(ssl, 'OP_NO_SSLv2', False) and
+ getattr(ssl, 'OP_NO_SSLv3', False)):
+ ssl_version = \
+ ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+
             dup_socket = eventlet.wrap_ssl(dup_socket, certfile=self.certfile,
                                            keyfile=self.keyfile,
                                            server_side=True,
+ ssl_version=ssl_version,
                                            cert_reqs=cert_reqs,
                                            ca_certs=self.ca_certs)

for keystone, but it affects all other services as well. If you agree I'll push this as a public review, I don't know how to do a private review.

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-10-16:

Dupe of bug 1381365? (I'm also not sure if there's a special process for duplicate security-related issues?)

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-10-16:

Usually subscribe the reporter of the dupe to the master ticket. Also if one is public, all should be (but in this case both are private so they can stay embargoed until a determination is made to open them together).

Revision history for this message

Dirk Mueller (dmllr) wrote on 2014-10-16:

Well, I didn't see the other private ticket while searching for duplicates. Please subscribe me to the other ticket. TIA!

Jeremy Stanley (fungi) on 2014-10-24

information type:

Private Security → Public