scaleio connector disables HTTPS certificate validation
Bug #1929223 reported by
Eric Harney
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
os-brick |
Fix Released
|
High
|
Oleg Nesterenkov |
Bug Description
A number of methods in the scaleio connector (connect_volume, disconnect_volume, and others) disable HTTPS cert validation via the requests.get() call by specifying verify=False.
These should enable certificate validation (like the PowerFlex Cinder driver does) when the "driver_
tags: | added: drivers scaleio |
Changed in os-brick: | |
importance: | Undecided → High |
Changed in os-brick: | |
assignee: | nobody → Oleg Nesterenkov (olegnest) |
status: | New → In Progress |
To post a comment you must log in.
Since os-brick isn't on the list of deliverables overseen by the OpenStack VMT ( https:/ /governance. openstack. org/tc/ reference/ tags/vulnerabil ity_managed. html ) I'm responding only in an advisory capacity.
In the past we've considered lack of SSL certificate verification to be a security hardening opportunity. Given that historically many inter-service connections, and particularly driver backends to commercial devices, lacked an easy means of enabling transport layer encryption at all or in cases where they did, were not easy for operators to replace the default/embedded self-signed certificates they shipped with, forcing this on by default often made integration very difficult for end users. The situation has improved in recent years, and so user expectations are probably shifting toward a default connection security stance, but I don't think this warrants a widespread advisory and can likely be fixed in public since there are doubtless many other drivers still in the same situation, and this is a generally well-known shortcoming.