yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #09289
[Bug 1276207] [NEW] vmware driver does not validate server certificates
Public bug reported:
The VMware driver establishes connections to vCenter over HTTPS, yet the
vCenter server certificate is not verified as part of the connection
process. I know this because my vCenter server is using a self-signed
certificate which always fails certification verification. As a result,
someone could use a man-in-the-middle attack to spoof the vcenter host
to nova.
The vmware driver has a dependency on Suds, which I believe also does
not validate certificates because hartsock and I noticed it uses urllib.
For reference, here is a link on secure connections in OpenStack:
https://wiki.openstack.org/wiki/SecureClientConnections
Assuming Suds is fixed to provide an option for certificate
verification, next step would be to modify the vmware driver to provide
an option to override invalid certificates (such as self-signed). In
other parts of OpenStack, there are options to bypass the certificate
check with a "insecure" option set, or you could put the server's
certificate in the CA store.
** Affects: nova
Importance: Undecided
Status: New
** Tags: vmware
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1276207
Title:
vmware driver does not validate server certificates
Status in OpenStack Compute (Nova):
New
Bug description:
The VMware driver establishes connections to vCenter over HTTPS, yet
the vCenter server certificate is not verified as part of the
connection process. I know this because my vCenter server is using a
self-signed certificate which always fails certification verification.
As a result, someone could use a man-in-the-middle attack to spoof the
vcenter host to nova.
The vmware driver has a dependency on Suds, which I believe also does
not validate certificates because hartsock and I noticed it uses
urllib.
For reference, here is a link on secure connections in OpenStack:
https://wiki.openstack.org/wiki/SecureClientConnections
Assuming Suds is fixed to provide an option for certificate
verification, next step would be to modify the vmware driver to
provide an option to override invalid certificates (such as self-
signed). In other parts of OpenStack, there are options to bypass the
certificate check with a "insecure" option set, or you could put the
server's certificate in the CA store.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1276207/+subscriptions
Follow ups
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Thierry Carrez, 2015-06-24
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Thierry Carrez, 2015-06-23
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Thierry Carrez, 2015-06-23
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Eric Brown, 2015-05-05
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Vipin Balachandran, 2015-05-04
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Radoslav Gerganov, 2015-05-04
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Johnson koil raj, 2015-02-24
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Doug Hellmann, 2015-02-23
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Johnson koil raj, 2015-01-30
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Davanum Srinivas (DIMS), 2014-08-12
-
[Bug 1276207] Re: vmware driver does not validate server certificates
From: Johnson koil raj, 2014-07-31
-
[Bug 1276207] [NEW] vmware driver does not validate server certificates
From: Eric Brown, 2014-02-04
References