[openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

Thomas Goirand zigo at debian.org
Fri Nov 21 09:56:29 UTC 2014


Hi,

Trying to rebuild Neutron Juno in Sid, I get so many of these failures:

Traceback (most recent call last):
  File
"/home/zigo/sources/openstack/juno/neutron/build-area/neutron-2014.2/neutron/tests/unit/agent/linux/test_ovs_lib.py",
line 137, in setUp
    super(OVS_Lib_Test, self).setUp()
  File
"/home/zigo/sources/openstack/juno/neutron/build-area/neutron-2014.2/neutron/tests/base.py",
line 128, in setUp
    self.setup_rpc_mocks()
  File
"/home/zigo/sources/openstack/juno/neutron/build-area/neutron-2014.2/neutron/tests/base.py",
line 150, in setup_rpc_mocks
    self.messaging_conf = messaging_conffixture.ConfFixture(CONF)
  File "/usr/lib/python2.7/dist-packages/oslo/messaging/conffixture.py",
line 48, in __init__
    'oslo.messaging._drivers.impl_rabbit', 'rabbit_opts')
  File "/usr/lib/python2.7/dist-packages/oslo/messaging/conffixture.py",
line 24, in _import_opts
    __import__(module)
  File
"/usr/lib/python2.7/dist-packages/oslo/messaging/_drivers/impl_rabbit.py",
line 420, in <module>
    class Connection(object):
  File
"/usr/lib/python2.7/dist-packages/oslo/messaging/_drivers/impl_rabbit.py",
line 497, in Connection
    "sslv3": ssl.PROTOCOL_SSLv3
AttributeError: 'module' object has no attribute 'PROTOCOL_SSLv3'

Having a deeper look into the issue, I saw the following changelog in
Python 2.7 (this was uploaded 3 days ago in Sid):

  * Allow building and testing without SSLv3 support (Kurt Roeckx).
    Closes: #768611.

Having a closer look at oslo.messaging reveals this in
oslo/messaging/_drivers/impl_rabbit.py:

    _SSL_PROTOCOLS = {
        "tlsv1": ssl.PROTOCOL_TLSv1,
        "sslv23": ssl.PROTOCOL_SSLv23,
        "sslv3": ssl.PROTOCOL_SSLv3
    }

Removing the last line (which makes the PROTOCOL_SSLv3 not used anymore)
fixed the build of Neutron.

Obviously, what happened in Debian is that Kurt Roeckx, the maintainer
of openssl, removed support for SSLv3, because of potential security
issues (downgrade attacks), which were revealed by the infamous POODLE bug.

Obviously also, we shall remove PROTOCOL_SSLv3 from one of the possible
options in oslo.messaging.

I thought this deserved explanations so that the review here can be
understood better:
https://review.openstack.org/136278

This should also be backported to the Icehouse and Juno releases. My
package for Sid has already been updated with this patch, and I will ask
for an unblock by the Debian release team, so that oslo.messaging
migrates to Jessie. I'm about to also do the work for oslo.messaging
1.4.1 in Experimental.

Cheers,

Thomas Goirand (zigo)



More information about the OpenStack-dev mailing list