Disabling SSLv3, TLSv1.0 and TLSv1.1 in nova-novncproxy?
Hello list, I've been tasked with disabling SSLv3, TLSv1.0 and TLSv1.1 in all of our public endpoints (not only OpenStack) and I'm having trouble finding where does nova-novncproxy sets which protocols to use. I have nova-novncproxy installed in 2 servers, one CentOS 6.10 (python 2.6) tied to an IceHouse installation, the other a CentOS 7 (python 2.7) tied to a Queens installation. Software versions: [root@vnc01 ~] # rpm -qa \*nova\* \*vnc\* | sort novnc-0.4-8.el6.noarch openstack-nova-common-2014.1.5-1.el6.noarch openstack-nova-novncproxy-2014.1.5-1.el6.noarch python-nova-2014.1.5-1.el6.noarch python-novaclient-2.17.0-2.el6.noarch [root@vnc02 ~] # rpm -qa \*nova\* \*vnc\* | sort novnc-0.5.1-2.el7.noarch openstack-nova-common-17.0.9-1.el7.noarch openstack-nova-novncproxy-17.0.9-1.el7.noarch python-nova-17.0.9-1.el7.noarch python2-novaclient-10.1.0-1.el7.noarch Any pointers will be appreciated. BTW, I also tried proxying them with nginx but in that case the vnc console doesn't work. I didn't try too hard to debug it, though. Thanks, -- Ricardo J. Barberis Usuario Linux Nº 250625: http://counter.li.org/ Usuario LFS Nº 5121: http://www.linuxfromscratch.org/ Senior SysAdmin / IT Architect - www.DonWeb.com
On Fri, 12 Apr 2019 15:47:28 -0300, Ricardo J. Barberis <ricardo@palmtx.com.ar> wrote:
Hello list,
I've been tasked with disabling SSLv3, TLSv1.0 and TLSv1.1 in all of our public endpoints (not only OpenStack) and I'm having trouble finding where does nova-novncproxy sets which protocols to use.
I have nova-novncproxy installed in 2 servers, one CentOS 6.10 (python 2.6) tied to an IceHouse installation, the other a CentOS 7 (python 2.7) tied to a Queens installation.
Software versions:
[root@vnc01 ~] # rpm -qa \*nova\* \*vnc\* | sort novnc-0.4-8.el6.noarch openstack-nova-common-2014.1.5-1.el6.noarch openstack-nova-novncproxy-2014.1.5-1.el6.noarch python-nova-2014.1.5-1.el6.noarch python-novaclient-2.17.0-2.el6.noarch
[root@vnc02 ~] # rpm -qa \*nova\* \*vnc\* | sort novnc-0.5.1-2.el7.noarch openstack-nova-common-17.0.9-1.el7.noarch openstack-nova-novncproxy-17.0.9-1.el7.noarch python-nova-17.0.9-1.el7.noarch python2-novaclient-10.1.0-1.el7.noarch
Any pointers will be appreciated.
BTW, I also tried proxying them with nginx but in that case the vnc console doesn't work. I didn't try too hard to debug it, though.
TL;DR: The protocol version is handled automatically. The nova-novncproxy is a websockify server and it is in websockify code where the socket is wrapped for SSL [1]. By default, wrap_socket [2] uses the PROTOCOL_SSLv23 constant. In python 2.6, it "Selects SSL version 2 or 3 as the channel encryption protocol." [3]. In python 2.7, it's an alias for PROTOCOL_TLS and "Selects the highest protocol version that both the client and server support." The available versions with PROTOCOL_SSLv23 depend on the openssl version being used [5]. Hope this helps. -melanie [1] https://github.com/novnc/websockify/blob/e4658ada2e2e179cdb8f6362dbb7c5e3ce3... [2] https://docs.python.org/2/library/ssl.html#ssl.wrap_socket [3] https://docs.python.org/2.6/library/ssl.html#ssl.PROTOCOL_SSLv23 [4] https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_SSLv23 [5] https://docs.python.org/2/library/ssl.html#id2
El Viernes 12/04/2019 a las 19:09, melanie witt escribió:
On Fri, 12 Apr 2019 15:47:28 -0300, Ricardo J. Barberis
<ricardo@palmtx.com.ar> wrote:
Hello list,
I've been tasked with disabling SSLv3, TLSv1.0 and TLSv1.1 in all of our public endpoints (not only OpenStack) and I'm having trouble finding where does nova-novncproxy sets which protocols to use.
I have nova-novncproxy installed in 2 servers, one CentOS 6.10 (python 2.6) tied to an IceHouse installation, the other a CentOS 7 (python 2.7) tied to a Queens installation.
Software versions:
[root@vnc01 ~] # rpm -qa \*nova\* \*vnc\* | sort novnc-0.4-8.el6.noarch openstack-nova-common-2014.1.5-1.el6.noarch openstack-nova-novncproxy-2014.1.5-1.el6.noarch python-nova-2014.1.5-1.el6.noarch python-novaclient-2.17.0-2.el6.noarch
[root@vnc02 ~] # rpm -qa \*nova\* \*vnc\* | sort novnc-0.5.1-2.el7.noarch openstack-nova-common-17.0.9-1.el7.noarch openstack-nova-novncproxy-17.0.9-1.el7.noarch python-nova-17.0.9-1.el7.noarch python2-novaclient-10.1.0-1.el7.noarch
Any pointers will be appreciated.
BTW, I also tried proxying them with nginx but in that case the vnc console doesn't work. I didn't try too hard to debug it, though.
TL;DR: The protocol version is handled automatically.
The nova-novncproxy is a websockify server and it is in websockify code where the socket is wrapped for SSL [1]. By default, wrap_socket [2] uses the PROTOCOL_SSLv23 constant. In python 2.6, it "Selects SSL version 2 or 3 as the channel encryption protocol." [3]. In python 2.7, it's an alias for PROTOCOL_TLS and "Selects the highest protocol version that both the client and server support." The available versions with PROTOCOL_SSLv23 depend on the openssl version being used [5].
Hope this helps.
Thanks, it clarifies a lot :)
-melanie
[1] https://github.com/novnc/websockify/blob/e4658ada2e2e179cdb8f6362dbb7c5e3ce 3ff717/websockify/websockifyserver.py#L585 [2] https://docs.python.org/2/library/ssl.html#ssl.wrap_socket [3] https://docs.python.org/2.6/library/ssl.html#ssl.PROTOCOL_SSLv23 [4] https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_SSLv23 [5] https://docs.python.org/2/library/ssl.html#id2
-- Ricardo J. Barberis Usuario Linux Nº 250625: http://counter.li.org/ Usuario LFS Nº 5121: http://www.linuxfromscratch.org/ Senior SysAdmin / IT Architect - www.DonWeb.com
participants (2)
-
melanie witt
-
Ricardo J. Barberis