[
https://issues.apache.org/jira/browse/QPID-6166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16398046#comment-16398046
]
Justin Ross commented on QPID-6166:
-----------------------------------
I checked on my F26 box and on CentOS 7. It appears we can do this now.
[root@7d9ac0a8cf05 /]# python <-- CentOS 7
Python 2.7.5 (default, Aug 4 2017, 00:39:18)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OP_NO_SSLv3
33554432
> [python] Disable SSLv3 support in pure-python client
> ----------------------------------------------------
>
> Key: QPID-6166
> URL: https://issues.apache.org/jira/browse/QPID-6166
> Project: Qpid
> Issue Type: Bug
> Components: Python Client
> Affects Versions: 0.30
> Reporter: Ken Giusti
> Assignee: Ken Giusti
> Priority: Major
> Fix For: qpid-python-1.38.0
>
>
> In light of the padding vulnerability of SSLv3, we should prevent the python
> client from allowing the SSL handshake to downgrade to SSLv3.
> Unfortunately, the latest release of python 2.7.8 does not give us the
> ability to disable just the SSLv3 capability. The next release of python
> (2.7.9) should allow this according to the documentation:
> https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv3
> This vulnerability can be disabled merely by eliminating support for SSLv3 on
> one end of the connection. Given that QPID-6160 will disable SSLv3 on the
> broker, simply fixing this on the broker side will mitigate the issue. So
> until the next version of Python is made available, we should recommend
> QPID-6160 be adopted as the fix to this problem.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
