glanceclient does not properly configure OpenSSL, which results in making TLS connections which allow extremely bad security settings.
Specifically it allows SSLv2, and many insecure ciphersuites. From Ubuntu 14.04:
>>> import pprint; import glanceclient.common.http; pprint.pprint(glanceclient.common.http.HTTPClient('https://', ssl_compression=False).session.get("https://www.howsmyssl.com/a/check").json())
{u'able_to_detect_n_minus_one_splitting': False,
u'beast_vuln': False,
u'ephemeral_keys_supported': True,
u'given_cipher_suites': [u'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384',
u'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
u'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
u'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
u'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
u'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384',
u'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA',
u'TLS_RSA_WITH_AES_256_GCM_SHA384',
u'TLS_RSA_WITH_AES_256_CBC_SHA256',
u'TLS_RSA_WITH_AES_256_CBC_SHA',
u'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
u'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
u'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
u'TLS_DHE_RSA_WITH_SEED_CBC_SHA',
u'TLS_DHE_DSS_WITH_SEED_CBC_SHA',
u'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
u'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256',
u'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA',
u'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA',
u'TLS_RSA_WITH_AES_128_GCM_SHA256',
u'TLS_RSA_WITH_AES_128_CBC_SHA256',
u'TLS_RSA_WITH_AES_128_CBC_SHA',
u'TLS_RSA_WITH_SEED_CBC_SHA',
u'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
u'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
u'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',
u'TLS_ECDH_RSA_WITH_RC4_128_SHA',
u'TLS_ECDH_ECDSA_WITH_RC4_128_SHA',
u'TLS_RSA_WITH_RC4_128_SHA',
u'TLS_RSA_WITH_RC4_128_MD5',
u'TLS_DHE_RSA_WITH_DES_CBC_SHA',
u'TLS_DHE_DSS_WITH_DES_CBC_SHA',
u'TLS_RSA_WITH_DES_CBC_SHA',
u'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
u'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
u'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
u'TLS_EMPTY_RENEGOTIATION_INFO_SCSV'],
u'insecure_cipher_suites': {u'TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_DSS_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_DHE_RSA_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_EXPORT_WITH_RC4_40_MD5': [u'uses keys smaller than 128 bits in its encryption'],
u'TLS_RSA_WITH_DES_CBC_SHA': [u'uses keys smaller than 128 bits in its encryption']},
u'rating': u'Bad',
u'session_ticket_supported': True,
u'tls_compression_supported': False,
u'tls_version': u'TLS 1.2',
u'unknown_cipher_suite_supported': False}
I *strongly* recommend just deleting all this code and using requests.
Thanks for the bug report.
Had a quick look and I can't see these weaker cipher suites being explicitly selected in the code so I would suggest these are the default for OpenSSL implementation being used. I do agree that this needs to be addressed. We should be using secure defaults wherever possible.
I don't think this is something we typically would issue an advisory for. I propose the VMT treat this as a hardening fix.