Glance Client

python-glanceclient uses extremely insecure configurations of OpenSSL

Bug #1370283 reported by Alex Gaynor
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance Client
Fix Released
Medium
Stuart McLaren
Glance Client v0.16.0 "v0.16.0"
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

glanceclient does not properly configure OpenSSL, which results in making TLS connections which allow extremely bad security settings.

Specifically it allows SSLv2, and many insecure ciphersuites. From Ubuntu 14.04:

>>> import pprint; import glanceclient.common.http; pprint.pprint(glanceclient.common.http.HTTPClient('https://', ssl_compression=False).session.get("https://www.howsmyssl.com/a/check").json())
{u'able_to_detect_n_minus_one_splitting': False,
 u'beast_vuln': False,
 u'ephemeral_keys_supported': True,
 u'given_cipher_suites': [u'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
                          u'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
                          u'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
                          u'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
                          u'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
                          u'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384',
                          u'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
                          u'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
                          u'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
                          u'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
                          u'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA',
                          u'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384',
                          u'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
                          u'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
                          u'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384',
                          u'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA',
                          u'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA',
                          u'TLS_RSA_WITH_AES_256_GCM_SHA384',
                          u'TLS_RSA_WITH_AES_256_CBC_SHA256',
                          u'TLS_RSA_WITH_AES_256_CBC_SHA',
                          u'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
                          u'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
                          u'TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA',
                          u'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
                          u'TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA',
                          u'TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA',
                          u'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
                          u'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
                          u'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
                          u'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
                          u'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
                          u'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
                          u'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256',
                          u'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
                          u'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
                          u'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
                          u'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
                          u'TLS_DHE_RSA_WITH_SEED_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_SEED_CBC_SHA',
                          u'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA',
                          u'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256',
                          u'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
                          u'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256',
                          u'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256',
                          u'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA',
                          u'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA',
                          u'TLS_RSA_WITH_AES_128_GCM_SHA256',
                          u'TLS_RSA_WITH_AES_128_CBC_SHA256',
                          u'TLS_RSA_WITH_AES_128_CBC_SHA',
                          u'TLS_RSA_WITH_SEED_CBC_SHA',
                          u'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
                          u'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
                          u'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',
                          u'TLS_ECDH_RSA_WITH_RC4_128_SHA',
                          u'TLS_ECDH_ECDSA_WITH_RC4_128_SHA',
                          u'TLS_RSA_WITH_RC4_128_SHA',
                          u'TLS_RSA_WITH_RC4_128_MD5',
                          u'TLS_DHE_RSA_WITH_DES_CBC_SHA',
                          u'TLS_DHE_DSS_WITH_DES_CBC_SHA',
                          u'TLS_RSA_WITH_DES_CBC_SHA',
                          u'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA',
                          u'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA',
                          u'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
                          u'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
                          u'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
                          u'TLS_EMPTY_RENEGOTIATION_INFO_SCSV'],
 u'insecure_cipher_suites': {u'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
                             u'TLS_DHE_DSS_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
                             u'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
                             u'TLS_DHE_RSA_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
                             u'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
                             u'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5': [u'uses keys smaller than 128 bits in its encryption'],
                             u'TLS_RSA_EXPORT_WITH_RC4_40_MD5': [u'uses keys smaller than 128 bits in its encryption'],
                             u'TLS_RSA_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption']},
 u'rating': u'Bad',
 u'session_ticket_supported': True,
 u'tls_compression_supported': False,
 u'tls_version': u'TLS 1.2',
 u'unknown_cipher_suite_supported': False}

I *strongly* recommend just deleting all this code and using requests.

Tags: security
Revision history for this message
Grant Murphy (gmurphy) wrote :

Thanks for the bug report.

Had a quick look and I can't see these weaker cipher suites being explicitly selected in the code so I would suggest these are the default for OpenSSL implementation being used. I do agree that this needs to be addressed. We should be using secure defaults wherever possible.

I don't think this is something we typically would issue an advisory for. I propose the VMT treat this as a hardening fix.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Yes, ideally someone should file a bug against OpenSSL asking to have strong defaults. We can try to influence how it's used in Glance, but I think it isn't strictly a bug in Glance that OpenSSL's defaults are suboptimal. Certainly making it easier for operators and distributions to deploy Glance with its SSL/TLS connections limited to stronger hashes and ciphers would be preferable and help avoid downgrade attacks, but I agree with Grant that it's at most something worth improving and documenting in the release notes or a security note. Without a direct exploit there's no vulnerability here around which we could issue a security advisory, nor would changes in default behavior or dependencies be fit to backport to stable releases.

Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

I've subscibed the Glance core security reviewers and added an incomplete security advisory task pending further discussion, but if there are no objections I recommend we switch the bug to public and tag it security as a welcome hardening measure.

Revision history for this message
Alex Gaynor (alex-gaynor) wrote :

It's true that these are the OpenSSL defaults, however it's generlaly accepted that OpenSSL is a disaster zone, and projects *must* override the defaults -- both the Python stdlib and requests will do this. (I think probably PyOpenSSL should as well in truth, but glanceclient should really work around this if it wants to use OpenSSL directly as it dose).

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :
Download full text (5.0 KiB)

If I understand correctly, the current behaviour matches curl and anything else built against openssl.

$ curl https://www.howsmyssl.com/a/check | python -m json.tool
{
    "able_to_detect_n_minus_one_splitting": false,
    "beast_vuln": false,
    "ephemeral_keys_supported": true,
    "given_cipher_suites": [
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
        "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
        "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
        "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
        "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_RSA_WITH_AES_256_CBC_SHA256",
        "TLS_RSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
        "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
        "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
        "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
        "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
        "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
        "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
        "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
        "TLS_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_RSA_WITH_AES_128_CBC_SHA",
        "TLS_RSA_WITH_SEED_CBC_SHA",
        "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
   ...

Read more...

Revision history for this message
Thierry Carrez (ttx) wrote :

i'm with Grant and jeremy, I suggest we make this a strengthening bug and open it publicly.

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Ok, I have a patch ready to go. I'll just put it up for review as usual.

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :
Download full text (9.1 KiB)

https://review.openstack.org/122749

Before the patch:

    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 302
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 298
            Version: TLS 1.2 (0x0303)
            Random
                gmt_unix_time: Sep 19, 2014 13:38:47.000000000 UTC
                random_bytes: 3fa6f21a44defe9268d9629d202b888c05db2336199a1eb1...
            Session ID Length: 0
            Cipher Suites Length: 146
            Cipher Suites (73 suites)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher S...

Read more...

Jeremy Stanley (fungi)
information type: Private Security → Public
tags: added: security
Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
Matthew Thode (prometheanfire) wrote :

why was this closed, was the cipher suite strengthened?

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

@matthew

No, the patch is still up for review: https://review.openstack.org/122749

@jeremy

can you comment on why this was closed? Thanks.

Revision history for this message
Jeremy Stanley (fungi) wrote :

The bug is not closed--it's still in an untriaged "new" state for python-glanceclient. I merely marked the security advsory task "won't fix" to denote that the VMT has judged this a security hardening opportunity rather than an explicit security vulnerability.

Louis Taylor (kragniz)
Changed in python-glanceclient:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Stuart McLaren (stuart-mclaren)
milestone: none → v0.16.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-glanceclient (master)

Reviewed: https://review.openstack.org/122749
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=9dcf3f16ce1cb7e828ee3d1811bc0ebd44abb106
Submitter: Jenkins
Branch: master

commit 9dcf3f16ce1cb7e828ee3d1811bc0ebd44abb106
Author: Stuart McLaren <email address hidden>
Date: Fri Sep 19 14:25:10 2014 +0000

    Reduce the set of supported client SSL ciphers

    python-glanceclient (like, for example, curl) can advertise the default
    set of supported OpenSSL ciphers in its ClientHello packet.

    This patches reduces that to a stronger subset.

    Change-Id: I7c30465e79d8a32f43458cd6253a98fcf067dc38
    Closes-bug: #1370283

Changed in python-glanceclient:
status: In Progress → Fix Committed
Nikhil Komawar (nikhil-komawar)
Changed in python-glanceclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.