[ 
https://issues.apache.org/jira/browse/QPID-6166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16398046#comment-16398046
 ] 

Justin Ross commented on QPID-6166:
-----------------------------------

I checked on my F26 box and on CentOS 7.  It appears we can do this now.

[root@7d9ac0a8cf05 /]# python                     <-- CentOS 7
Python 2.7.5 (default, Aug 4 2017, 00:39:18) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OP_NO_SSLv3
33554432

> [python] Disable SSLv3 support in pure-python client
> ----------------------------------------------------
>
>                 Key: QPID-6166
>                 URL: https://issues.apache.org/jira/browse/QPID-6166
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>    Affects Versions: 0.30
>            Reporter: Ken Giusti
>            Assignee: Ken Giusti
>            Priority: Major
>             Fix For: qpid-python-1.38.0
>
>
> In light of the padding vulnerability of SSLv3, we should prevent the python 
> client from allowing the SSL handshake to downgrade to SSLv3.
> Unfortunately, the latest release of python 2.7.8 does not give us the 
> ability to disable just the SSLv3 capability.  The next release of python 
> (2.7.9) should allow this according to the documentation:  
> https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv3
> This vulnerability can be disabled merely by eliminating support for SSLv3 on 
> one end of the connection. Given that QPID-6160 will disable SSLv3 on the 
> broker, simply fixing this on the broker side will mitigate the issue.  So 
> until the next version of Python is made available, we should recommend 
> QPID-6160 be adopted as the fix to this problem.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to