[
https://issues.apache.org/jira/browse/QPID-6166?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Ross updated QPID-6166:
------------------------------
Fix Version/s: (was: Future)
qpid-python-1.36.0
> [python] Disable SSLv3 support in pure-python client
> ----------------------------------------------------
>
> Key: QPID-6166
> URL: https://issues.apache.org/jira/browse/QPID-6166
> Project: Qpid
> Issue Type: Bug
> Components: Python Client
> Affects Versions: 0.30
> Reporter: Ken Giusti
> Assignee: Ken Giusti
> Fix For: qpid-python-1.36.0
>
>
> In light of the padding vulnerability of SSLv3, we should prevent the python
> client from allowing the SSL handshake to downgrade to SSLv3.
> Unfortunately, the latest release of python 2.7.8 does not give us the
> ability to disable just the SSLv3 capability. The next release of python
> (2.7.9) should allow this according to the documentation:
> https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv3
> This vulnerability can be disabled merely by eliminating support for SSLv3 on
> one end of the connection. Given that QPID-6160 will disable SSLv3 on the
> broker, simply fixing this on the broker side will mitigate the issue. So
> until the next version of Python is made available, we should recommend
> QPID-6160 be adopted as the fix to this problem.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
