vmware driver does not validate server certificates

Bug #1276207 reported by Eric Brown
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ceilometer
Fix Released
Medium
Eric Brown
Cinder
Fix Released
Medium
Vipin Balachandran
Glance
New
Undecided
Johnson koil raj
OpenStack Compute (nova)
Fix Released
Medium
Radoslav Gerganov
oslo.vmware
Fix Released
Medium
Unassigned

Bug Description

The VMware driver establishes connections to vCenter over HTTPS, yet the vCenter server certificate is not verified as part of the connection process. I know this because my vCenter server is using a self-signed certificate which always fails certification verification. As a result, someone could use a man-in-the-middle attack to spoof the vcenter host to nova.

The vmware driver has a dependency on Suds, which I believe also does not validate certificates because hartsock and I noticed it uses urllib.

For reference, here is a link on secure connections in OpenStack:
https://wiki.openstack.org/wiki/SecureClientConnections

Assuming Suds is fixed to provide an option for certificate verification, next step would be to modify the vmware driver to provide an option to override invalid certificates (such as self-signed). In other parts of OpenStack, there are options to bypass the certificate check with a "insecure" option set, or you could put the server's certificate in the CA store.

Tags: vmware drivers
Eric Brown (ericwb)
Changed in nova:
assignee: nobody → Eric Brown (ericwb)
Revision history for this message
Eric Brown (ericwb) wrote :

Opened a bug on pyvmomi - one of the future dependencies.
https://github.com/vmware/pyvmomi/issues/13

Revision history for this message
Eric Brown (ericwb) wrote :
Changed in nova:
status: New → In Progress
Revision history for this message
Visnusaran Murugan (visnusaran-murugan) wrote :

Can be achieved be overriding suds transport to use requests library.

Changed in nova:
importance: Undecided → Medium
milestone: none → icehouse-3
milestone: icehouse-3 → next
Changed in nova:
milestone: next → none
Eric Brown (ericwb)
Changed in nova:
assignee: Eric Brown (ericwb) → nobody
status: In Progress → Confirmed
Changed in cinder:
assignee: nobody → Johnson koil raj (jjohnsonkoilraj)
Changed in cinder:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/111226

Changed in cinder:
status: Confirmed → In Progress
Mike Perez (thingee)
tags: added: drivers
Revision history for this message
Yalu Bai (yalu0311) wrote : Re: [Bug 1276207] Re: vmware driver does not validate server certificates

i am so sorry,your comany's service isn't not well within my ISP,i compared
to other vpn providers,their service in my enviroment is very well,the
speed of connectivity is just three or five seconds ,but your service
commonly is three or five minutes,worsely can not connected to servers ,so
i insist on refunding ,please don't find any reason to answer me ,have no
relationship with the config or other reason,but the network your compnay
provided ,so don't delay the date to refund ,because several time's round
,the time is over ,so ,please deal with my refund ,thanks !

2014-08-13 3:06 GMT+08:00 Davanum Srinivas (DIMS) <email address hidden>:

> ** Also affects: oslo.vmware
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> Matching subscriptions: clearity
> https://bugs.launchpad.net/bugs/1276207
>
> Title:
> vmware driver does not validate server certificates
>
> Status in Cinder:
> In Progress
> Status in OpenStack Compute (Nova):
> Confirmed
> Status in Oslo VMware library for OpenStack projects:
> New
>
> Bug description:
> The VMware driver establishes connections to vCenter over HTTPS, yet
> the vCenter server certificate is not verified as part of the
> connection process. I know this because my vCenter server is using a
> self-signed certificate which always fails certification verification.
> As a result, someone could use a man-in-the-middle attack to spoof the
> vcenter host to nova.
>
> The vmware driver has a dependency on Suds, which I believe also does
> not validate certificates because hartsock and I noticed it uses
> urllib.
>
> For reference, here is a link on secure connections in OpenStack:
> https://wiki.openstack.org/wiki/SecureClientConnections
>
> Assuming Suds is fixed to provide an option for certificate
> verification, next step would be to modify the vmware driver to
> provide an option to override invalid certificates (such as self-
> signed). In other parts of OpenStack, there are options to bypass the
> certificate check with a "insecure" option set, or you could put the
> server's certificate in the CA store.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1276207/+subscriptions
>

Changed in oslo.vmware:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (master)

Change abandoned by Mike Perez (<email address hidden>) on branch: master
Review: https://review.openstack.org/111226

Changed in oslo.vmware:
status: Confirmed → Fix Committed
Changed in nova:
status: Confirmed → Fix Released
Changed in oslo.vmware:
milestone: none → 0.10.0
status: Fix Committed → Fix Released
Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/179728

Changed in nova:
status: Fix Released → Confirmed
assignee: nobody → Radoslav Gerganov (rgerganov)
Changed in cinder:
status: Fix Released → Confirmed
assignee: Johnson koil raj (jjohnsonkoilraj) → Vipin Balachandran (vbala)
importance: Low → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/179753

Changed in cinder:
status: Confirmed → In Progress
Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/179753
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=39478338bb4a1cbd625a6176d4403bb34a2a0630
Submitter: Jenkins
Branch: master

commit 39478338bb4a1cbd625a6176d4403bb34a2a0630
Author: Vipin Balachandran <email address hidden>
Date: Mon May 4 16:13:41 2015 +0530

    VMware: Enable vCenter certificate verification

    Currently vCenter certificate is not verified during connection
    establishment. This patch adds a config option to specify a CA
    bundle file to verify vCenter server certificate.

    DocImpact

    Change-Id: Ida730db66b154a4d445f7a91bccb9ca5b5a26f5e
    Closes-Bug: #1276207

Changed in cinder:
status: In Progress → Fix Committed
Eric Brown (ericwb)
Changed in ceilometer:
assignee: nobody → Eric Brown (ericwb)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ceilometer (master)

Fix proposed to branch: master
Review: https://review.openstack.org/180266

Changed in ceilometer:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ceilometer (master)

Reviewed: https://review.openstack.org/180266
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=2f4ff42a9257a51ca807ac534ca3e598e627a959
Submitter: Jenkins
Branch: master

commit 2f4ff42a9257a51ca807ac534ca3e598e627a959
Author: Eric Brown <email address hidden>
Date: Tue May 5 11:38:49 2015 -0700

    VMware: verify vCenter server certificate

    Two configuration properties are being added:

    'ca_file': Specify a CA bundle file to use in verifying the vCenter
    server certificate

    'insecure': If true, the vCenter server certificate is not verified.
    If false, then the default CA truststore is used for verification.
    This option is ignored if 'ca_file' is set.

    Closes-Bug: #1276207

    DocImpact

    Change-Id: I8f408308cddbb40b19e8dc9fce6ff02745d963b8

Changed in ceilometer:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/179728
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=823766637d2cdd45df75716553656e4650cb49ec
Submitter: Jenkins
Branch: master

commit 823766637d2cdd45df75716553656e4650cb49ec
Author: Radoslav Gerganov <email address hidden>
Date: Mon May 4 11:18:58 2015 +0300

    VMware: verify vCenter server certificate

    Two configuration properties are being added:
    'ca_file': Specify a CA bundle file to use in verifying the vCenter
    server certificate
    'insecure': If true, the vCenter server certificate is not verified.
    If false, then the default CA truststore is used for verification.
    This option is ignored if 'ca_file' is set.

    Closes-Bug: #1276207

    DocImpact

    Change-Id: I86a04fbd70f726206ddd95caf87685f3559d2ad8

Changed in nova:
status: In Progress → Fix Committed
ZhiQiang Fan (aji-zqfan)
Changed in ceilometer:
importance: Undecided → Medium
Thierry Carrez (ttx)
Changed in ceilometer:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: liberty-1 → 12.0.0
Thierry Carrez (ttx)
Changed in ceilometer:
milestone: liberty-1 → 5.0.0
Thierry Carrez (ttx)
Changed in cinder:
milestone: liberty-1 → 7.0.0
Changed in glance:
assignee: nobody → Johnson koil raj (jjohnsonkoilraj)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.