[openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

Donald Stufft donald at stufft.io
Sat Nov 22 18:37:55 UTC 2014

> On Nov 22, 2014, at 1:45 AM, Robert Collins <robertc at robertcollins.net> wrote:
> On 22 November 2014 08:11, Jeremy Stanley <fungi at yuggoth.org> wrote:
>> On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote:
>>> Death to SSLv3 IMO.
>> Sure, we should avoid releasing new versions of things which assume
>> SSLv3 support is present in underlying libraries/platforms (it's
>> unclear to me why anyone even thought it was good to make that
>> configurable to this degree in openstack-common, but it probably
>> dates back to before the nova common split). But what we're talking
>> about here is fixing a deployability/usability bug where the
>> software is assuming the presence of something removed from a
>> dependency on some platform. I'd rather not conflate it with
>> knee-jerk "SSLv3 Bad" rhetoric which risks giving casual readers the
>> impression there's some vulnerability here.
>> Ceasing to assume the presence of SSLv3 support is a safe choice for
>> the software in question. Forcing changes to stable branches for
>> this should be taken on its merits as a normal bug, and not
>> prioritized because of any perceived security impact.
> Given the persistent risks of downgrade attacks, I think this does
> actually qualify as a security issue: not that its breaking,but that
> SSLv3 is advertised and accepted anywhere.
> The lines two lower:
>    try:
>        _SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2
>    except AttributeError:
>        pass
> Are even more concerning!
> That said, code like:
> https://github.com/mpaladin/python-amqpclt/blob/master/amqpclt/kombu.py#L101
> is truely egregious!
> :)

Yes this. SSLv3 isn’t a “Well as long as you have newer things enabled it’s
fine” it’s a “If you have this enabled at all it’s a problem”. As far as I
am aware without TLS_FALLBACK_SCSV a MITM who is willing to do active attacks
can force the connection over to the lowest protocol that a client and server
support. There is no way for the server to verify that the message sent from
the client that indicates their highest was not modified in transit.

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the OpenStack-dev mailing list