vmware driver does not validate server certificates

Bug #1276207 reported by Eric Brown on 2014-02-04
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ceilometer
Fix Released
Medium
Eric Brown
Cinder
Medium
Vipin Balachandran
Glance
Undecided
Johnson koil raj
OpenStack Compute (nova)
Medium
Radoslav Gerganov
oslo.vmware
Medium
Unassigned

Bug Description

The VMware driver establishes connections to vCenter over HTTPS, yet the vCenter server certificate is not verified as part of the connection process. I know this because my vCenter server is using a self-signed certificate which always fails certification verification. As a result, someone could use a man-in-the-middle attack to spoof the vcenter host to nova.

The vmware driver has a dependency on Suds, which I believe also does not validate certificates because hartsock and I noticed it uses urllib.

For reference, here is a link on secure connections in OpenStack:
https://wiki.openstack.org/wiki/SecureClientConnections

Assuming Suds is fixed to provide an option for certificate verification, next step would be to modify the vmware driver to provide an option to override invalid certificates (such as self-signed). In other parts of OpenStack, there are options to bypass the certificate check with a "insecure" option set, or you could put the server's certificate in the CA store.

Eric Brown (ericwb) on 2014-02-06
Changed in nova:
assignee: nobody → Eric Brown (ericwb)
Eric Brown (ericwb) wrote :

Opened a bug on pyvmomi - one of the future dependencies.
https://github.com/vmware/pyvmomi/issues/13

Eric Brown (ericwb) wrote :
Changed in nova:
status: New → In Progress

Can be achieved be overriding suds transport to use requests library.

Changed in nova:
importance: Undecided → Medium
milestone: none → icehouse-3
milestone: icehouse-3 → next
Changed in nova:
milestone: next → none
Eric Brown (ericwb) on 2014-05-28
Changed in nova:
assignee: Eric Brown (ericwb) → nobody
status: In Progress → Confirmed
Changed in cinder:
assignee: nobody → Johnson koil raj (jjohnsonkoilraj)
Changed in cinder:
importance: Undecided → Low
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/111226

Changed in cinder:
status: Confirmed → In Progress
Mike Perez (thingee) on 2014-08-07
tags: added: drivers

i am so sorry,your comany's service isn't not well within my ISP,i compared
to other vpn providers,their service in my enviroment is very well,the
speed of connectivity is just three or five seconds ,but your service
commonly is three or five minutes,worsely can not connected to servers ,so
i insist on refunding ,please don't find any reason to answer me ,have no
relationship with the config or other reason,but the network your compnay
provided ,so don't delay the date to refund ,because several time's round
,the time is over ,so ,please deal with my refund ,thanks !

2014-08-13 3:06 GMT+08:00 Davanum Srinivas (DIMS) <email address hidden>:

> ** Also affects: oslo.vmware
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> Matching subscriptions: clearity
> https://bugs.launchpad.net/bugs/1276207
>
> Title:
> vmware driver does not validate server certificates
>
> Status in Cinder:
> In Progress
> Status in OpenStack Compute (Nova):
> Confirmed
> Status in Oslo VMware library for OpenStack projects:
> New
>
> Bug description:
> The VMware driver establishes connections to vCenter over HTTPS, yet
> the vCenter server certificate is not verified as part of the
> connection process. I know this because my vCenter server is using a
> self-signed certificate which always fails certification verification.
> As a result, someone could use a man-in-the-middle attack to spoof the
> vcenter host to nova.
>
> The vmware driver has a dependency on Suds, which I believe also does
> not validate certificates because hartsock and I noticed it uses
> urllib.
>
> For reference, here is a link on secure connections in OpenStack:
> https://wiki.openstack.org/wiki/SecureClientConnections
>
> Assuming Suds is fixed to provide an option for certificate
> verification, next step would be to modify the vmware driver to
> provide an option to override invalid certificates (such as self-
> signed). In other parts of OpenStack, there are options to bypass the
> certificate check with a "insecure" option set, or you could put the
> server's certificate in the CA store.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1276207/+subscriptions
>

Changed in oslo.vmware:
status: New → Confirmed
importance: Undecided → Medium

Change abandoned by Mike Perez (<email address hidden>) on branch: master
Review: https://review.openstack.org/111226

Changed in oslo.vmware:
status: Confirmed → Fix Committed
Changed in nova:
status: Confirmed → Fix Released
Changed in oslo.vmware:
milestone: none → 0.10.0
status: Fix Committed → Fix Released
Changed in cinder:
status: In Progress → Fix Released
Changed in nova:
status: Fix Released → Confirmed
assignee: nobody → Radoslav Gerganov (rgerganov)
Changed in cinder:
status: Fix Released → Confirmed
assignee: Johnson koil raj (jjohnsonkoilraj) → Vipin Balachandran (vbala)
importance: Low → Medium

Fix proposed to branch: master
Review: https://review.openstack.org/179753

Changed in cinder:
status: Confirmed → In Progress
Changed in nova:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/179753
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=39478338bb4a1cbd625a6176d4403bb34a2a0630
Submitter: Jenkins
Branch: master

commit 39478338bb4a1cbd625a6176d4403bb34a2a0630
Author: Vipin Balachandran <email address hidden>
Date: Mon May 4 16:13:41 2015 +0530

    VMware: Enable vCenter certificate verification

    Currently vCenter certificate is not verified during connection
    establishment. This patch adds a config option to specify a CA
    bundle file to verify vCenter server certificate.

    DocImpact

    Change-Id: Ida730db66b154a4d445f7a91bccb9ca5b5a26f5e
    Closes-Bug: #1276207

Changed in cinder:
status: In Progress → Fix Committed
Eric Brown (ericwb) on 2015-05-05
Changed in ceilometer:
assignee: nobody → Eric Brown (ericwb)

Fix proposed to branch: master
Review: https://review.openstack.org/180266

Changed in ceilometer:
status: New → In Progress

Reviewed: https://review.openstack.org/180266
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=2f4ff42a9257a51ca807ac534ca3e598e627a959
Submitter: Jenkins
Branch: master

commit 2f4ff42a9257a51ca807ac534ca3e598e627a959
Author: Eric Brown <email address hidden>
Date: Tue May 5 11:38:49 2015 -0700

    VMware: verify vCenter server certificate

    Two configuration properties are being added:

    'ca_file': Specify a CA bundle file to use in verifying the vCenter
    server certificate

    'insecure': If true, the vCenter server certificate is not verified.
    If false, then the default CA truststore is used for verification.
    This option is ignored if 'ca_file' is set.

    Closes-Bug: #1276207

    DocImpact

    Change-Id: I8f408308cddbb40b19e8dc9fce6ff02745d963b8

Changed in ceilometer:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/179728
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=823766637d2cdd45df75716553656e4650cb49ec
Submitter: Jenkins
Branch: master

commit 823766637d2cdd45df75716553656e4650cb49ec
Author: Radoslav Gerganov <email address hidden>
Date: Mon May 4 11:18:58 2015 +0300

    VMware: verify vCenter server certificate

    Two configuration properties are being added:
    'ca_file': Specify a CA bundle file to use in verifying the vCenter
    server certificate
    'insecure': If true, the vCenter server certificate is not verified.
    If false, then the default CA truststore is used for verification.
    This option is ignored if 'ca_file' is set.

    Closes-Bug: #1276207

    DocImpact

    Change-Id: I86a04fbd70f726206ddd95caf87685f3559d2ad8

Changed in nova:
status: In Progress → Fix Committed
ZhiQiang Fan (aji-zqfan) on 2015-06-17
Changed in ceilometer:
importance: Undecided → Medium
Thierry Carrez (ttx) on 2015-06-23
Changed in ceilometer:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-06-23
Changed in cinder:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-06-24
Changed in nova:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in nova:
milestone: liberty-1 → 12.0.0
Thierry Carrez (ttx) on 2015-10-15
Changed in ceilometer:
milestone: liberty-1 → 5.0.0
Thierry Carrez (ttx) on 2015-10-15
Changed in cinder:
milestone: liberty-1 → 7.0.0
Changed in glance:
assignee: nobody → Johnson koil raj (jjohnsonkoilraj)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers