[openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

Robert Collins robertc at robertcollins.net
Sat Nov 22 06:45:09 UTC 2014


On 22 November 2014 08:11, Jeremy Stanley <fungi at yuggoth.org> wrote:
> On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote:
>> Death to SSLv3 IMO.
>
> Sure, we should avoid releasing new versions of things which assume
> SSLv3 support is present in underlying libraries/platforms (it's
> unclear to me why anyone even thought it was good to make that
> configurable to this degree in openstack-common, but it probably
> dates back to before the nova common split). But what we're talking
> about here is fixing a deployability/usability bug where the
> software is assuming the presence of something removed from a
> dependency on some platform. I'd rather not conflate it with
> knee-jerk "SSLv3 Bad" rhetoric which risks giving casual readers the
> impression there's some vulnerability here.
>
> Ceasing to assume the presence of SSLv3 support is a safe choice for
> the software in question. Forcing changes to stable branches for
> this should be taken on its merits as a normal bug, and not
> prioritized because of any perceived security impact.

Given the persistent risks of downgrade attacks, I think this does
actually qualify as a security issue: not that its breaking,but that
SSLv3 is advertised and accepted anywhere.

The lines two lower:
    try:
        _SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2
    except AttributeError:
        pass

Are even more concerning!

That said, code like:
https://github.com/mpaladin/python-amqpclt/blob/master/amqpclt/kombu.py#L101

is truely egregious!

:)

-Rob

-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud



More information about the OpenStack-dev mailing list