On 22 November 2014 08:11, Jeremy Stanley <[email protected]> wrote:
> On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote:
>> Death to SSLv3 IMO.
>
> Sure, we should avoid releasing new versions of things which assume
> SSLv3 support is present in underlying libraries/platforms (it's
> unclear to me why anyone even thought it was good to make that
> configurable to this degree in openstack-common, but it probably
> dates back to before the nova common split). But what we're talking
> about here is fixing a deployability/usability bug where the
> software is assuming the presence of something removed from a
> dependency on some platform. I'd rather not conflate it with
> knee-jerk "SSLv3 Bad" rhetoric which risks giving casual readers the
> impression there's some vulnerability here.
>
> Ceasing to assume the presence of SSLv3 support is a safe choice for
> the software in question. Forcing changes to stable branches for
> this should be taken on its merits as a normal bug, and not
> prioritized because of any perceived security impact.
Given the persistent risks of downgrade attacks, I think this does
actually qualify as a security issue: not that its breaking,but that
SSLv3 is advertised and accepted anywhere.
The lines two lower:
try:
_SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2
except AttributeError:
pass
Are even more concerning!
That said, code like:
https://github.com/mpaladin/python-amqpclt/blob/master/amqpclt/kombu.py#L101
is truely egregious!
:)
-Rob
--
Robert Collins <[email protected]>
Distinguished Technologist
HP Converged Cloud
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
