SecureClientConnections

= Securing OpenStack Client Connections =

The OpenStack client repositories (or packages) include both the Python API bindings and the reference command line interface (CLI) implementation to communicate with the OpenStack APIs. Client support for modern encrypted connections, i.e SSLv3 and/or TLSv1, has been spotty at best. Most of the clients are capable of using SSL for encryption but often the certificate verification part of the protocol did not work properly for tier-2 or privately signed certificates, prompting the addition of the   option to some of the clients. In addition, most of the clients had no mechanism to specify an alternate CA bundle file to enable certificate verification. Python has historically had incomplete X.509 certificate support in its standard library. For example, ssl and httplib do not verify the hostname as part of certificate verification. Four of the clients (keystone, nova, cinder, quantum) use  which had no hostname verification before 0.7.0 and what it currently has is incomplete. The other two clients (glance and swift) use  directly and either have no hostname verification (swift) or implement it locally (glance).

Issue Summary

 * Python's  module does no certificate hostname verification in 2.7.x;  it has been added in 3.2 but will not be backported. [1]
 * is pinned to using protocol version SSLv23 and must be directly patched to override it.
 * uses  and adds no hostname verification.  In addition it only uses the default   protocol version set by  .  We don't want this as   is deprecated and insecure.  Patching that value directly into the   module works but is suboptimal.
 * implements a basic hostname verification but it has some problems such as only checking commonName if the certificate's subjectAltNames is not present and handling wildcards differently than specified in RFC-2818.
 * uses an internal ca bundle (cacert.txt) if the ca_certs argument is not given to.
 * only supports 3xx redirects for the GET method.

Additional Notes
glanceclient has patched the  module out of httplib in favor of pyOpenSSL. Stuart McLaren added  to  validate commonName and subjectAltName for   connections but it doesn't handle wildcards.

The CLI Solution
The current round of patches to the CLIs is to get them all up to the same level of support for TLSv1 for authentication, at a minimum. Glance and Swift continue to use  directly for their data transfer  connections (really, all connections to their respective services) and these already support SSL.v?.

Why requests?
The requests module [2]  backported   from Python 3.2. Like all of the other modules here it does not handle the iPAddress attribute in subjectAltName. This is mostly relevant in development and testing use cases like with DevStack. The 3.2  implementation however does allow IP addresses as a dNSName.Requests also brings a number of other features to the table that may or may not have been implemented individually in the existing clients such as JSON encoding/decoding and 3xx redirection support for POST, PUT, PATCH  DELETE, and HEAD. Plus it is stable (notwithstanding the recent 1.0 release) and the developer is known in the OS community.

Original Client HTTP Modules
The approach taken for the   subclasses is to change the parent class to object and rework the   method to call. Some of the differences for  leaked out of  that method but have been mostly containd within the   class. All four of the clients (formerly) using  have implemented one or more features that can easily be handled by   (such as redirection) or should also be propogated to the other clients. This is ripe for a refactor of  to a common module but that effort is not in scope here.

Client Update Status
keystoneclient (complete) https://review.openstack.org/17624


 * replace httplib2 with requests

novaclient (complete) https://review.openstack.org/18257


 * replace httplib2 with requests
 * add --os-cacert and OS_CACERT support
 * provide ca_cert to keystone client for authentication

cinderclient (complete) https://review.openstack.org/18278


 * replace httplib2 with requests
 * add --os-cacert and OS_CACERT support
 * provide ca_cert to keystone client for authentication

glanceclient (complete) https://review.openstack.org/17698


 * rename --ca-cert to --os-cacert and add OS_CACERT
 * provide ca_cert to keystone client for authentication

swiftclient (complete) https://review.openstack.org/18393


 * add --os-cacert and OS_CACERT support
 * provide ca_cert to keystone client for authentication

quantumclient (not started)


 * replace httplib2 with requests
 * add --os-cacert and OS_CACERT support
 * provide ca_cert to keystone client for authentication

Testing
Aside from the usual unit tests, support for a TLS proxy is being added to DevStack to demonstrate and test a TLS-enabled OpenStack configuration. It uses stud as the TLS endpoint that proxies to the usual service endpoints. The most interesting challenge here is doing it all on a single host and making the service catalog work. Yay! The TLS-in-DevStack also builds a two-tiered CA (root and intermediate) for testing proper certificate chain validation.

Links

 * glanceclient host_matches_cert:
 * https://review.openstack.org/#/c/16305/4/glanceclient/common/http.py
 * request's urllib3.ssl_match_hostname.match_hostname:
 * https://github.com/kennethreitz/requests/blob/master/requests/packages/urllib3/connectionpool.py#L72
 * https://github.com/kennethreitz/requests/blob/master/requests/packages/urllib3/packages/ssl_match_hostname/ init .py#L23

[1]:http://bugs.python.org/issue1589, the comments about 2.x begin at http://bugs.python.org/issue1589#msg120946

[2]:The patches for the OpenStack CLIs were engineered and implemented before the release of requests 1.0 which is a significantly different  implementation and is untested in our application.

-- dtroyer@gmail.com