Disabling SSLv3, TLSv1.0 and TLSv1.1 in nova-novncproxy?
melwittt at gmail.com
Fri Apr 12 22:09:34 UTC 2019
On Fri, 12 Apr 2019 15:47:28 -0300, Ricardo J. Barberis
<ricardo at palmtx.com.ar> wrote:
> Hello list,
> I've been tasked with disabling SSLv3, TLSv1.0 and TLSv1.1 in all of our
> public endpoints (not only OpenStack) and I'm having trouble finding where
> does nova-novncproxy sets which protocols to use.
> I have nova-novncproxy installed in 2 servers, one CentOS 6.10 (python 2.6)
> tied to an IceHouse installation, the other a CentOS 7 (python 2.7) tied to a
> Queens installation.
> Software versions:
> [root at vnc01 ~] # rpm -qa \*nova\* \*vnc\* | sort
> [root at vnc02 ~] # rpm -qa \*nova\* \*vnc\* | sort
> Any pointers will be appreciated.
> BTW, I also tried proxying them with nginx but in that case the vnc console
> doesn't work. I didn't try too hard to debug it, though.
TL;DR: The protocol version is handled automatically.
The nova-novncproxy is a websockify server and it is in websockify code
where the socket is wrapped for SSL . By default, wrap_socket 
uses the PROTOCOL_SSLv23 constant. In python 2.6, it "Selects SSL
version 2 or 3 as the channel encryption protocol." . In python 2.7,
it's an alias for PROTOCOL_TLS and "Selects the highest protocol version
that both the client and server support." The available versions with
PROTOCOL_SSLv23 depend on the openssl version being used .
Hope this helps.
More information about the openstack-discuss