OpenStack Compute (nova)

Bug #1276207
Comment #5

Comment 5 for bug 1276207

Revision history for this message

Yalu Bai (yalu0311) wrote on 2014-08-13: Re: [Bug 1276207] Re: vmware driver does not validate server certificates

i am so sorry,your comany's service isn't not well within my ISP,i compared
to other vpn providers,their service in my enviroment is very well,the
speed of connectivity is just three or five seconds ,but your service
commonly is three or five minutes,worsely can not connected to servers ,so
i insist on refunding ,please don't find any reason to answer me ,have no
relationship with the config or other reason,but the network your compnay
provided ,so don't delay the date to refund ,because several time's round
,the time is over ,so ,please deal with my refund ,thanks !

2014-08-13 3:06 GMT+08:00 Davanum Srinivas (DIMS) <email address hidden>:

> ** Also affects: oslo.vmware
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> Matching subscriptions: clearity
> https://bugs.launchpad.net/bugs/1276207
>
> Title:
> vmware driver does not validate server certificates
>
> Status in Cinder:
> In Progress
> Status in OpenStack Compute (Nova):
> Confirmed
> Status in Oslo VMware library for OpenStack projects:
> New
>
> Bug description:
> The VMware driver establishes connections to vCenter over HTTPS, yet
> the vCenter server certificate is not verified as part of the
> connection process. I know this because my vCenter server is using a
> self-signed certificate which always fails certification verification.
> As a result, someone could use a man-in-the-middle attack to spoof the
> vcenter host to nova.
>
> The vmware driver has a dependency on Suds, which I believe also does
> not validate certificates because hartsock and I noticed it uses
> urllib.
>
> For reference, here is a link on secure connections in OpenStack:
> https://wiki.openstack.org/wiki/SecureClientConnections
>
> Assuming Suds is fixed to provide an option for certificate
> verification, next step would be to modify the vmware driver to
> provide an option to override invalid certificates (such as self-
> signed). In other parts of OpenStack, there are options to bypass the
> certificate check with a "insecure" option set, or you could put the
> server's certificate in the CA store.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1276207/+subscriptions
>

2014-08-13 3:06 GMT+08:00 Davanum Srinivas (DIMS) <davanum@gmail.com>:

> ** Also affects: oslo.vmware
>    Importance: Undecided
>        Status: New
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> Matching subscriptions: clearity
> https://bugs.launchpad.net/bugs/1276207
>
> Title:
>   vmware driver does not validate server certificates
>
> Status in Cinder:
>   In Progress
> Status in OpenStack Compute (Nova):
>   Confirmed
> Status in Oslo VMware library for OpenStack projects:
>   New
>
> Bug description:
>   The VMware driver establishes connections to vCenter over HTTPS, yet
>   the vCenter server certificate is not verified as part of the
>   connection process.  I know this because my vCenter server is using a
>   self-signed certificate which always fails certification verification.
>   As a result, someone could use a man-in-the-middle attack to spoof the
>   vcenter host to nova.
>
>   The vmware driver has a dependency on Suds, which I believe also does
>   not validate certificates because hartsock and I noticed it uses
>   urllib.
>
>   For reference, here is a link on secure connections in OpenStack:
>   https://wiki.openstack.org/wiki/SecureClientConnections
>
>   Assuming Suds is fixed to provide an option for certificate
>   verification, next step would be to modify the vmware driver to
>   provide an option to override invalid certificates (such as self-
>   signed).  In other parts of OpenStack, there are options to bypass the
>   certificate check with a "insecure" option set, or you could put the
>   server's certificate in the CA store.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1276207/+subscriptions
>