yahoo-eng-team team mailing list archive

[Jeremy Stanley <fungi@xxxxxxxxxxx>]

** Information type changed from Private Security to Public

** Tags added: security

** Changed in: ossa
       Status: Incomplete => Won't Fix

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3511

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1381365

Title:
  SSL Version and cipher selection not possible

Status in Cinder:
  New
Status in OpenStack Image Registry and Delivery Service (Glance):
  New
Status in OpenStack Identity (Keystone):
  New
Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  We configure keystone to use SSL always. Due to the poodle issue, I was trying to configure keystone to disable SSLv3 completely. 
  http://googleonlinesecurity.blogspot.fi/2014/10/this-poodle-bites-exploiting-ssl-30.html
  https://www.openssl.org/~bodo/ssl-poodle.pdf

  It seems that keystone has no support for configring SSL versions, nor
  ciphers.

  If I'm not mistaken the relevant code is in the start function in
  common/environment/eventlet_server.py

  It calls 
  eventlet.wrap_ssl
  but with no SSL version nor cipher options. Since the interface is identical, I assume it uses ssl.wrap_socket. The default here seems to be  PROTOCOL_SSLv23 (SSL2 disabled), which would make this vulnerable to the poodle issue.

  SSL conifgs should probably be possible to be set in the config file
  (with sane defaults), so that current and newly detected weak ciphers
  can be disabled without code changes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1381365/+subscriptions