1 This upstream patch addresses the removal of SSLv3 (Bug# 1395095) |
|
2 |
|
3 From https://review.openstack.org/openstack/oslo.messaging |
|
4 * branch refs/changes/78/136278/2 -> FETCH_HEAD |
|
5 From 42f55a1dda96d4ceecf8cca5fba9cd723673f6e3 Mon Sep 17 00:00:00 2001 |
|
6 From: Thomas Goirand <[email protected]> |
|
7 Date: Fri, 21 Nov 2014 17:40:46 +0800 |
|
8 Subject: [PATCH] Remove the use of PROTOCOL_SSLv3 |
|
9 |
|
10 The PROTOCOL_SSLv3 should not be used, as it can be exploited with |
|
11 a protocol downgrade attack. Also, its support has been removed in |
|
12 Debian, so it simply doesn't work at all now in Sid. |
|
13 |
|
14 This patch removes PROTOCOL_SSLv3 from one of the possible protocols |
|
15 used by oslo.messaging. |
|
16 |
|
17 Closes-Bug: #1395095 |
|
18 Change-Id: I2c1977c3bfc1923bcb03744e909f2e70c7fdb14c |
|
19 --- |
|
20 oslo/messaging/_drivers/impl_rabbit.py | 12 ++++++++---- |
|
21 1 file changed, 8 insertions(+), 4 deletions(-) |
|
22 |
|
23 diff --git a/oslo/messaging/_drivers/impl_rabbit.py b/oslo/messaging/_drivers/impl_rabbit.py |
|
24 index 939a3ce..0c786ed 100644 |
|
25 --- a/oslo/messaging/_drivers/impl_rabbit.py |
|
26 +++ b/oslo/messaging/_drivers/impl_rabbit.py |
|
27 @@ -41,8 +41,8 @@ rabbit_opts = [ |
|
28 cfg.StrOpt('kombu_ssl_version', |
|
29 default='', |
|
30 help='SSL version to use (valid only if SSL enabled). ' |
|
31 - 'valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may ' |
|
32 - 'be available on some distributions.' |
|
33 + 'valid values are TLSv1 and SSLv23. SSLv2 and ' |
|
34 + 'SSLv3 may be available on some distributions.' |
|
35 ), |
|
36 cfg.StrOpt('kombu_ssl_keyfile', |
|
37 default='', |
|
38 @@ -496,8 +496,7 @@ class Connection(object): |
|
39 # FIXME(markmc): use oslo sslutils when it is available as a library |
|
40 _SSL_PROTOCOLS = { |
|
41 "tlsv1": ssl.PROTOCOL_TLSv1, |
|
42 - "sslv23": ssl.PROTOCOL_SSLv23, |
|
43 - "sslv3": ssl.PROTOCOL_SSLv3 |
|
44 + "sslv23": ssl.PROTOCOL_SSLv23 |
|
45 } |
|
46 |
|
47 try: |
|
48 @@ -505,6 +504,11 @@ class Connection(object): |
|
49 except AttributeError: |
|
50 pass |
|
51 |
|
52 + try: |
|
53 + _SSL_PROTOCOLS["sslv3"] = ssl.PROTOCOL_SSLv3 |
|
54 + except AttributeError: |
|
55 + pass |
|
56 + |
|
57 @classmethod |
|