[openstack-dev] [nova] About use oslo_service in nova and fix for OSSN-0039

Chen CH Ji jichenjc at cn.ibm.com
Fri Apr 21 02:44:38 UTC 2017


Hi
             In https://wiki.openstack.org/wiki/OSSN/OSSN-0039, it's
requested that SSL/TLS library (OpenSSL in this case) is compiled without
SSLv3 ,
             our internal discussion from some security experts suggested
we need add some code to
https://github.com/openstack/nova/blob/master/nova/wsgi.py#L168
             maybe something like:   dup_socket = eventlet.wrap_ssl
(dup_socket, ssl_version=ssl.PROTOCOL_TLSv1_2,
             so that nova client only requests TLSv1_2

             so the question is
1) why nova didn't use oslo service, so we can honor some options like
following while seems nova don't have?
https://github.com/openstack/oslo.service/blob/master/oslo_service/_options.py#L108
https://github.com/openstack/oslo.service/blob/master/oslo_service/_options.py#L114

2) is there a existing requirement to nova (and maybe other projects) on
OSSN 0039 in addition to recompile ssl library?


Best Regards!

Kevin (Chen) Ji 纪 晨

Engineer, zVM Development, CSTL
Notes: Chen CH Ji/China/IBM at IBMCN   Internet: jichenjc at cn.ibm.com
Phone: +86-10-82451493
Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District,
Beijing 100193, PRC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170421/69bdcff6/attachment.html>


More information about the OpenStack-dev mailing list