OpenStack Identity (keystone)

EC2 and S3 token middleware create insecure connections

Bug #1257566 reported by Jamie Lennox on 2013-12-04

This bug report is a duplicate of: Bug #1188189: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection). Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned
	OpenStack Security Advisory	Incomplete	Undecided	Unassigned

Bug Description

EC2 and S3 token middleware are similar to auth_token_middleware receiving and authenticating ec2/s3 tokens. They both still use the httplib method of connecting to keystone and so doesn't validate any SSL certificates.

On top of this they appears to be completely untested.

They are not enabled by keystone's default pipeline and are thus most likely not used at all and should be either deprecated or moved into keystoneclient.

Jamie Lennox (jamielennox) on 2013-12-04

summary:

- EC2 and S3 token middleware uses httplib and is untested
+ EC2 and S3 token middleware create insecure connections

Dolph Mathews (dolph) on 2013-12-04

information type:

Public → Public Security

Revision history for this message

Grant Murphy (gmurphy) wrote on 2013-12-04:

This was reported in bug 1188189. ttx / fungi do we require an advisory for this? Or was it just an OSSN?

Thierry Carrez (ttx) on 2013-12-04

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2013-12-04:

As pointed out by Grant in #1 this is essentially just a refinement of bug 1188189. But more keystone specific as these middleware are untested and most likely unused, I was looking to just see can we drop/deprecate them or do they require fixing?

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-12-06:

At this point the fact that openstack-internal communications are not all properly encrypted is a known feature gap. Internal management traffic needs to be run over a trusted network as a result. This feature gap is being addressed (in the referenced bug). Once we reach the state where OpenStack internal management traffic can be run over a hostile network (and a release publish that deployment security as a feature), then we'll consider any regression to be a vulnerability and issue advisories for it.

As far as this bug goes, I would just open this bug and recommend dropping this untested "feature" completely.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2013-12-09:

Right, duplicate or child of 1188189 I think. Security hardening, no advisory (but definitely worthy of shouty release notes once we get all these plugged).

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1188189 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.