[openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days
Jeremy Stanley
fungi at yuggoth.org
Sat Nov 22 22:16:59 UTC 2014
On 2014-11-22 16:33:52 -0500 (-0500), Donald Stufft wrote:
> I refreshed my memory and I was wrong about the specific attack.
> However the point still stands that both the rfc and respected
> folks such as Thomas porin state that you should look at the
> version negotiation as a way to selectively enable new features
> not as a way to ensure that a connection uses a secure option when
> both a secure and an insecure option exist.
[...]
I don't disagree with those points, but if you read the source code
in question that's not what it's doing anyway. The problem at hand
is that we allow you to configure RPC over SSLv3 (that's an
attractive nuisance sure), but the way the config validation is
written it explodes violently on platforms which have stripped out
support for SSLv3 even if you didn't configure your system to use
SSLv3 (not a security bug, just a bug bug). TLS negotiation on the
other hand is being left entirely up to the system, so its behaviors
are determined and managed outside of OpenStack anyway.
Unfortunately now too many people are conditioned to fire off panic
replies when they see terms like SSLv3 or MD5 or DES or whatever
without evaluating the specifics of the situation. That makes it
very hard to talk about normal bugs, and causes vulnerability
managers to have to spend hours on PR damage control instead.
--
Jeremy Stanley
More information about the OpenStack-dev
mailing list