yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #28738
[Bug 1276207] Re: vmware driver does not validate server certificates
** Changed in: oslo.vmware
Status: Fix Committed => Fix Released
** Changed in: oslo.vmware
Milestone: None => 0.10.0
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1276207
Title:
vmware driver does not validate server certificates
Status in Cinder:
In Progress
Status in OpenStack Compute (Nova):
Fix Released
Status in Oslo VMware library for OpenStack projects:
Fix Released
Bug description:
The VMware driver establishes connections to vCenter over HTTPS, yet
the vCenter server certificate is not verified as part of the
connection process. I know this because my vCenter server is using a
self-signed certificate which always fails certification verification.
As a result, someone could use a man-in-the-middle attack to spoof the
vcenter host to nova.
The vmware driver has a dependency on Suds, which I believe also does
not validate certificates because hartsock and I noticed it uses
urllib.
For reference, here is a link on secure connections in OpenStack:
https://wiki.openstack.org/wiki/SecureClientConnections
Assuming Suds is fixed to provide an option for certificate
verification, next step would be to modify the vmware driver to
provide an option to override invalid certificates (such as self-
signed). In other parts of OpenStack, there are options to bypass the
certificate check with a "insecure" option set, or you could put the
server's certificate in the CA store.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1276207/+subscriptions
References