[openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days
Thomas Goirand
zigo at debian.org
Tue Nov 25 16:29:19 UTC 2014
On 11/23/2014 06:01 AM, Jeremy Stanley wrote:
> but we shouldn't
> backport a patch which suddenly breaks someone's cloud because they
> made a conscious decision to configure it to use SSLv3 for RPC
> communication.
I'm having a hard time figuring out in which case it would make sense to
do so. However...
On 11/23/2014 06:01 AM, Jeremy Stanley wrote:
> My point is that suggesting there's a vulnerability here without
> looking at how the code is used is sort of like shouting "fire" in a
> crowded theater.
I agree with that point, but also with your point about anticipation of
future issues. I think it would be a good idea to strengthen things, in
advance of possible downgrade attacks that may occur if we keep support
for SSLv3.
On 11/24/2014 01:09 AM, Doug Hellmann wrote:
> The only place things will be breaking is on the version of Python
> shipped by Debian where the constant used to set up the validation
> logic is no longer present in the SSL library. Let’s start by making
> the smallest change we can to fix that problem, and then move on.
Yes please! And I need this backported to Icehouse ASAP (as that's we're
shipping in Jessie). At this point, I prefer to let others who are
better than me at this sorts (sensitive) of patches do the work.
On 11/24/2014 01:09 AM, Doug Hellmann wrote:
> hat’s an easy patch for us to land, and I hope Thomas will update the
> patch he has already submitted based on feedback on that review.
Could someone take over my patch? :)
I'm quite busy doing other things, and it isn't my role to work on such
things directly. I often send a patch here and there when I see fit, but
here, I don't think I'm the best person to do so.
>> I don't really mind if we continue to allow it, but at least we
>> should move fast to have oslo-incubator fixed. I will need to do
>> something fast for Icehouse in Sid/Jessie, as we're in freeze mode.
>> Best would be to have the issue resolved before the next point
>> release (currently set for May 14 2015).
>
> Sure. See my comments on your current review for what I think we need
> to do to handle the backwards-compatibility issues more clearly.
>
> Doug
Hum... git review -d ? :)
Thomas
More information about the OpenStack-dev
mailing list