openstack/security-doc
Code Issues Proposed changes
d6780c5d48
security-doc/security-notes/OSSN-0033
Eric Brown 488c0b49fb Revise OSSN-033 to note fix for HTTPSConnection 
Later versions of Python have HTTPSConnection fixed. So OSSN-0033
should be clarified to only apply to Python earlier than 2.7.9 and
3.4.3.

Change-Id: Ib50d85dec5789749bb32ecd6d58b98dcd2670b6c
2017-03-08 10:09:04 -08:00

59 lines
2.4 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Some SSL-Enabled connections fail to perform basic certificate checks
---
### Summary ###
In many places, OpenStack components use HTTPSConnection to establish
an SSL connection between endpoints. Early Python versions of this
class do not provide many of the assurances one would expect when
using SSL and leaves connections open to potential man-in-the-middle attacks.
### Affected Services / Software ###
All OpenStack services, Havana, Icehouse, Juno
### Discussion ###
A secure SSL session relies on validation of a X.509 certificate. Basic
checks include:
- Certificate Authority trust verification
- Certificate revocation status
- Certificate expiration
- Certificate subject name matching
The HTTPSConnection class is used in a large number of locations and
early Python versions failed to check that certificates are signed by a
valid authority. Without that check in place, the subsequent checks (some
highlighted above) are largely invalid.
The result is that an attacker who has access to the network traffic
between two endpoints relying on HTTPSConnection can trivially create a
certificate that will be accepted by HTTPSConnection as valid - allowing
the attacker to intercept, read and modify traffic that should be
encrypted by SSL.
Later versions of Python, namedly 2.7.9 and 3.4.3, do perform proper
validation in establishing connections. So this OSSN only applies
to environments running older versions of Python.
### Recommended Actions ###
Some projects have updated their code to be more secure, others have
not. The OSSP suggest cloud deployers check the status of the bug
mentioned in the 'References' section of this note to see if the
projects they require have updated.
### Contacts / References ###
Author: Robert Clark, HP
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0033
Launchpad Bugs :
- https://bugs.launchpad.net/ossn/+bug/1188189
- https://bugs.launchpad.net/ossn/+bug/1436082
- https://bugs.launchpad.net/nova/+bug/1276207
- https://bugs.launchpad.net/vmware-nsx/+bug/1487962
- https://bugs.launchpad.net/vmware-nsx/+bug/1488265
Python 2.x doc : https://docs.python.org/2/library/httplib.html#httplib.HTTPSConnection
Python 3.x doc : https://docs.python.org/3.4/library/http.client.html#http.client.HTTPSConnection
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
View Git Blame Copy Permalink