| author | Devjani Ray <devjani.ray@oracle.com> |
| Fri, 14 Aug 2015 15:36:22 -0400 | |
| changeset 4778 | f8e00b2d7e90 |
| permissions | -rw-r--r-- |
|
4778
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
1 |
This upstream patch addresses the removal of SSLv3 (Bug# 1395095) |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
2 |
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
3 |
From https://review.openstack.org/openstack/oslo.messaging |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
4 |
* branch refs/changes/78/136278/2 -> FETCH_HEAD |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
5 |
From 42f55a1dda96d4ceecf8cca5fba9cd723673f6e3 Mon Sep 17 00:00:00 2001 |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
6 |
From: Thomas Goirand <[email protected]> |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
7 |
Date: Fri, 21 Nov 2014 17:40:46 +0800 |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
8 |
Subject: [PATCH] Remove the use of PROTOCOL_SSLv3 |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
9 |
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
10 |
The PROTOCOL_SSLv3 should not be used, as it can be exploited with |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
11 |
a protocol downgrade attack. Also, its support has been removed in |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
12 |
Debian, so it simply doesn't work at all now in Sid. |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
13 |
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
14 |
This patch removes PROTOCOL_SSLv3 from one of the possible protocols |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
15 |
used by oslo.messaging. |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
16 |
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
17 |
Closes-Bug: #1395095 |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
18 |
Change-Id: I2c1977c3bfc1923bcb03744e909f2e70c7fdb14c |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
19 |
--- |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
20 |
oslo/messaging/_drivers/impl_rabbit.py | 12 ++++++++---- |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
21 |
1 file changed, 8 insertions(+), 4 deletions(-) |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
22 |
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
23 |
diff --git a/oslo/messaging/_drivers/impl_rabbit.py b/oslo/messaging/_drivers/impl_rabbit.py |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
24 |
index 939a3ce..0c786ed 100644 |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
25 |
--- a/oslo/messaging/_drivers/impl_rabbit.py |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
26 |
+++ b/oslo/messaging/_drivers/impl_rabbit.py |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
27 |
@@ -41,8 +41,8 @@ rabbit_opts = [ |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
28 |
cfg.StrOpt('kombu_ssl_version',
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
29 |
default='', |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
30 |
help='SSL version to use (valid only if SSL enabled). ' |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
31 |
- 'valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may ' |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
32 |
- 'be available on some distributions.' |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
33 |
+ 'valid values are TLSv1 and SSLv23. SSLv2 and ' |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
34 |
+ 'SSLv3 may be available on some distributions.' |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
35 |
), |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
36 |
cfg.StrOpt('kombu_ssl_keyfile',
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
37 |
default='', |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
38 |
@@ -496,8 +496,7 @@ class Connection(object): |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
39 |
# FIXME(markmc): use oslo sslutils when it is available as a library |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
40 |
_SSL_PROTOCOLS = {
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
41 |
"tlsv1": ssl.PROTOCOL_TLSv1, |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
42 |
- "sslv23": ssl.PROTOCOL_SSLv23, |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
43 |
- "sslv3": ssl.PROTOCOL_SSLv3 |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
44 |
+ "sslv23": ssl.PROTOCOL_SSLv23 |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
45 |
} |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
46 |
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
47 |
try: |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
48 |
@@ -505,6 +504,11 @@ class Connection(object): |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
49 |
except AttributeError: |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
50 |
pass |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
51 |
|
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
52 |
+ try: |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
53 |
+ _SSL_PROTOCOLS["sslv3"] = ssl.PROTOCOL_SSLv3 |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
54 |
+ except AttributeError: |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
55 |
+ pass |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
56 |
+ |
|
f8e00b2d7e90
21628600 Remove the use of PROTOCOL_SSLv3
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
57 |
@classmethod |