** Also affects: cinder
Importance: Undecided
Status: New
** Changed in: cinder
Assignee: (unassigned) => Johnson koil raj (jjohnsonkoilraj)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1276207
Title:
vmware driver does not validate server certificates
Status in Cinder:
New
Status in OpenStack Compute (Nova):
Confirmed
Bug description:
The VMware driver establishes connections to vCenter over HTTPS, yet
the vCenter server certificate is not verified as part of the
connection process. I know this because my vCenter server is using a
self-signed certificate which always fails certification verification.
As a result, someone could use a man-in-the-middle attack to spoof the
vcenter host to nova.
The vmware driver has a dependency on Suds, which I believe also does
not validate certificates because hartsock and I noticed it uses
urllib.
For reference, here is a link on secure connections in OpenStack:
https://wiki.openstack.org/wiki/SecureClientConnections
Assuming Suds is fixed to provide an option for certificate
verification, next step would be to modify the vmware driver to
provide an option to override invalid certificates (such as self-
signed). In other parts of OpenStack, there are options to bypass the
certificate check with a "insecure" option set, or you could put the
server's certificate in the CA store.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1276207/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
