Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient)
Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw.
Impact description - update
Title: TLS cert verification option not honoured in paste configs keystoneclient ware), versions up to 0.10.1 (python- keystoneclient)
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-
Versions: versions up to 1.1.1 (keystonemiddle
Description: keystoneclient) . When the 'insecure' option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw.
Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-