Hi In https://wiki.openstack.org/wiki/OSSN/OSSN-0039, it's requested that SSL/TLS library (OpenSSL in this case) is compiled without SSLv3 , our internal discussion from some security experts suggested we need add some code to https://github.com/openstack/nova/blob/master/nova/wsgi.py#L168 maybe something like: dup_socket = eventlet.wrap_ssl (dup_socket, ssl_version=ssl.PROTOCOL_TLSv1_2, so that nova client only requests TLSv1_2
so the question is 1) why nova didn't use oslo service, so we can honor some options like following while seems nova don't have? https://github.com/openstack/oslo.service/blob/master/oslo_service/_options.py#L108 https://github.com/openstack/oslo.service/blob/master/oslo_service/_options.py#L114 2) is there a existing requirement to nova (and maybe other projects) on OSSN 0039 in addition to recompile ssl library? Best Regards! Kevin (Chen) Ji 纪 晨 Engineer, zVM Development, CSTL Notes: Chen CH Ji/China/IBM@IBMCN Internet: jiche...@cn.ibm.com Phone: +86-10-82451493 Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District, Beijing 100193, PRC
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev