SSL terminator will terminates at the network boundary. I am thinking if the crackers can figure out a way to sneak into the internal network and capture all the sensitive information still. Is this a concern for a private cloud?
On Tue, Apr 29, 2014 at 10:39 AM, Rob Crittenden <[email protected]>wrote: > Hao Wang wrote: > >> Thanks. It makes sense. The other questions are, would Heartbleed be a >> potential risk? Which solution is being used in OpenStack SSL? >> > > Native SSL services (eventlet) are based on OpenSSL, as is Apache > (horizon) so yes, the risk is there if you haven't updated your OpenSSL > libraries. > > The general consensus however is to use SSL terminators rather than > enabling SSL in the endpoints directly. You'd need to investigate the SSL > library in the terminator you choose, though it would likely be OpenSSL. > > Check this out as well, https://blog-nkinder.rhcloud.com/?p=7 > > rob > > >> >> On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham >> <[email protected] <mailto:[email protected]>> wrote: >> >> This is why any production API servers should all be running TLS/SSL >> – to protect the confidentiality of messages in flight.____ >> >> __ __ >> >> >> There have been efforts to remove sensitive information from logs, >> I’m a little surprised that passwords are logged in Neutron.____ >> >> __ __ >> >> *From:*Hao Wang [mailto:[email protected] >> <mailto:[email protected]>] >> *Sent:* 29 April 2014 14:06 >> *To:* [email protected] >> <mailto:[email protected]> >> *Cc:* openstack; Aaron Knister >> *Subject:* Re: [Openstack-security] [Openstack] API Security____ >> >> __ __ >> >> Adding security group...____ >> >> __ __ >> >> >> On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <[email protected] >> <mailto:[email protected]>> wrote:____ >> >> It is the client. I got this message with DEBUG enabled:____ >> >> >> curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H >> "Content-Type: application/json" -H "Accept: application/json" >> -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": >> "admin", "passwordCredentials": {"username": "admin", >> "password": "admin"}}}'____ >> >> __ __ >> >> >> It can be seen that username and password are right in the >> message.____ >> >> __ __ >> >> Hao____ >> >> __ __ >> >> >> On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister >> <[email protected] <mailto:[email protected]>> >> wrote:____ >> >> >> Was it the client or the server that exposed the credentials? >> >> Sent from my iPhone____ >> >> >> >> On Apr 26, 2014, at 2:28 PM, Hao Wang <[email protected] >> <mailto:[email protected]>> wrote:____ >> >> Hi,____ >> >> __ __ >> >> >> I am troubleshooting a neutron case. It was just found >> that if DEBUG was enabled, neutron would print out JSON >> data with username and password. I am wondering what >> kind of protocol is used in production environment to >> prevent this security risk from happening.____ >> >> __ __ >> >> Thanks,____ >> >> Hao____ >> >> >> _______________________________________________ >> Mailing list: >> http://lists.openstack.org/cgi-bin/mailman/listinfo/ >> openstack >> Post to : [email protected] >> <mailto:[email protected]> >> Unsubscribe : >> http://lists.openstack.org/cgi-bin/mailman/listinfo/ >> openstack____ >> >> __ __ >> >> __ __ >> >> >> >> >> _______________________________________________ >> Openstack-security mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security >> >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
