Implement SSL for spice consoles

Bug #1424797 reported by Bjoern
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Invalid
Wishlist
Unassigned
Juno
Invalid
Wishlist
Unassigned
Kilo
Invalid
Wishlist
Unassigned
Trunk
Invalid
Wishlist
Unassigned

Bug Description

Analog to keystone plese run the spice html proxy behind the apache and support SSL

Tags: in-kilo
Revision history for this message
Bjoern (bjoern-t) wrote :

Implementing this bug will also fix the iframe security violation we currently see in modern browser due to mixed HTTP content in HTTPS site

Revision history for this message
Andy McCrae (andrew-mccrae) wrote :

Is this not solved by offloading on the LB? The option for the spice console to be "https" is there, but it won't setup any certs.

Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

Switching importance to wishlist as this is a new feature request.

Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

Removing the milestone set until someone picks this up.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

You can have your loadbalancer/reverse_proxy do a SSL termination, then you forward content using traditional tcp to your consoles. This should be fine if you consider your cloud management network as secure.

However, you'll have an issue with novnc "Protocol mismatch". Your clients will see an https page, but the nova_console receives ws:// traffic (insecure form).

This could be easily fixed by editing your spice console in /usr/share/spice-html5/spice_auto.html:
               var default_port = window.location.port;
                if (window.location.protocol == 'http:') {
                    if (!default_port) { default_port = 80; }
                }
                else if (window.location.protocol == 'https:') {
                    if (!default_port) { default_port = 443; }
                    scheme = "wss://";
                }
The protocol mismatch error will disappear. It's better than nothing.
Keep in mind that it's not a fully secure end-to-end solution, but it prevents session snooping.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/226462
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=a944d049fb14380e81692c19267c2eec443c386a
Submitter: Jenkins
Branch: master

commit a944d049fb14380e81692c19267c2eec443c386a
Author: Jimmy McCrory <email address hidden>
Date: Tue Sep 22 10:46:48 2015 -0700

    Install spice-html5 from source

    'ws://' is currently hardcoded within the spice_auto.html file included
    in the packaged release of spice-html5, raising a security error when
    accessing consoles over HTTPS.

    Remove the existing apt package and install spice-html5 from source
    instead since this issue has been corrected as of spice-html5-0.1.6.

    Change-Id: Ie308a477143037963f903f2ac21b2b1f0328fcb3
    Partial-Bug: #1424797

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/232697
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=391bdaad804cb5ebacc30c48a830c8828e7025db
Submitter: Jenkins
Branch: kilo

commit 391bdaad804cb5ebacc30c48a830c8828e7025db
Author: Jimmy McCrory <email address hidden>
Date: Tue Sep 22 10:46:48 2015 -0700

    Install spice-html5 from source

    'ws://' is currently hardcoded within the spice_auto.html file included
    in the packaged release of spice-html5, raising a security error when
    accessing consoles over HTTPS.

    Remove the existing apt package and install spice-html5 from source
    instead since this issue has been corrected as of spice-html5-0.1.6.

    Change-Id: Ie308a477143037963f903f2ac21b2b1f0328fcb3
    Partial-Bug: #1424797
    (cherry picked from commit a944d049fb14380e81692c19267c2eec443c386a)

tags: added: in-kilo
Revision history for this message
Major Hayden (rackerhacker) wrote :

This is already in liberty/mitaka.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers