python-keystoneclient

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1353315
Comment #12

Comment 12 for bug 1353315

Revision history for this message

Grant Murphy (gmurphy) wrote on 2014-09-10: Re: Incorrect condition expression for ssl_insecure

#12

Draft impact description:

Title: TLS certificate verification option not honoured in paste configurations
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.9.0 (python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in python-keystoneclient and keystonemiddleware. When the 'insecure' option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware and python-keystoneclient configured via a paste.ini file are affected by this flaw.