yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1373992] [NEW] EC2 keystone auth token is using unsafe SSL connection

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Thu, 25 Sep 2014 15:04:26 -0000
Reply-to: Bug 1373992 <1373992@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

EC2KeystoneAuth uses httplib.HTTPSConnection objects. In Python 2.x
those do not perform CA checks so client connections are vulnerable to
MiM attacks.

This should use requests instead, and pick up the local cacert params if
needed.

** Affects: nova
     Importance: Critical
         Status: Triaged


** Tags: ec2

** Changed in: nova
       Status: New => Triaged

** Changed in: nova
   Importance: Undecided => Critical

** Tags added: ec2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1373992

Title:
  EC2 keystone auth token is using unsafe SSL connection

Status in OpenStack Compute (Nova):
  Triaged

Bug description:
  EC2KeystoneAuth uses httplib.HTTPSConnection objects. In Python 2.x
  those do not perform CA checks so client connections are vulnerable to
  MiM attacks.

  This should use requests instead, and pick up the local cacert params
  if needed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1373992/+subscriptions

Follow ups

[Bug 1373992] Re: EC2 keystone auth token is using unsafe SSL connection
From: Thierry Carrez, 2014-12-18
[Bug 1373992] [NEW] EC2 keystone auth token is using unsafe SSL connection
From: Sean Dague, 2014-09-25

References

[Bug 1373992] [NEW] EC2 keystone auth token is using unsafe SSL connection
From: Sean Dague, 2014-09-25