[openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

Robert Collins robertc at robertcollins.net
Sun Nov 23 20:18:50 UTC 2014

On 23 November 2014 at 11:01, Jeremy Stanley <fungi at yuggoth.org> wrote:
> On 2014-11-22 19:45:09 +1300 (+1300), Robert Collins wrote:
>> Given the persistent risks of downgrade attacks, I think this does
>> actually qualify as a security issue: not that its breaking, but
>> that SSLv3 is advertised and accepted anywhere.
> Which downgrade attacks? Outside of Web browser authors deciding it
> was a good idea to bypass the normal TLS negotiation mechanism, as
> long as both ends _support_ TLS then causing a downgrade within TLS
> version negotiation to SSLv3 or earlier should not be possible. If

Thats my understanding too; while this code is targeted for kombu use,
I remain paranoid.

> you're suggesting we strengthen against unknown future attacks,
> that's a fine idea and is something we call "security hardening"
> (not a vulnerability fix).

Fair enough.

> My point is that suggesting there's a vulnerability here without
> looking at how the code is used is sort of like shouting "fire" in a
> crowded theater.

Point taken. Sorry :)


Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list