Meetings/Swift
< Meetings
Revision as of 13:11, 17 January 2014 by Tristan Cacqueray (talk | contribs) (Add swiftclient SSL certificate validation topic)
Meeting Time: Every other Wednesday at 19:00 UTC
Next Meeting: Jan 8, 2014 (no meeting Dec 25)
Agenda:
- python-swiftclient status
- python-swiftclient SSL certificate validation, facts:
- Actual https client implementation does not validate server certificate with CA (and will blindly accept self-signed certificate which allow MITM attack).
- python-swiftclient have been removed from Debian testing because of this vulnerability.
- Fix is in progress (since Jun 2013): https://review.openstack.org/#/c/33473/.
- python-swiftclient SSL certificate validation, solutions:
- Finish the fix in progress:
- pro: it tackles both vulnerability (MITM and CRIME).
- con: it implements a custom SSL validation just for swiftclient, and this is not a good idea as there's lots of sharp edges, and getting it wrong doesn't fail with obvious failures.
- Switch to request module
- pro: common implementation which would remove complexity from swiftclient
- con: does not implement the SSL compression disabling yet. (This open another vulnerability because of the CRIME attack, though it could be overcome by disabling compression at the server side)
- Finish the fix in progress:
- log #openstack-swift
- pro: lets people who don't use bouncers see what was said
- con: people are less free with opinions since it will live forever
- sysmeta status
- Swift 1.12.0 release