Hi IWAMOTO, Currently I am quite busy. When I will have some spare time I will come back to you, with a more complete implementation,along with comments so that we stand on the same ground.
With a quick look at ssl/tls python documentation, you are right. There are cases that the attacker can initiate a downgrade attack and thus chooses a protocol version even bellow TLSv1(which btw it is also an unsafe protocol choice[1]; TLS 1.2 and above are considered safe). Anyway I will come back to you the next days. I apologize if I created inconvinience. Best regards, Alex [1] https://techblog.topdesk.com/security/developers-need-know-tls-1-0/ On 1/24/19 5:17 AM, IWAMOTO Toshihiro wrote: > Thanks. > I researched the ssl module changes, but it's a bit confusing to me. > > > On Thu, 24 Jan 2019 02:53:56 +0900, > alex wrote: >> Signed-off-by: alex <atoptsog...@suse.com> >> --- >> ryu/controller/controller.py | 8 ++++++-- >> 1 file changed, 6 insertions(+), 2 deletions(-) >> >> diff --git a/ryu/controller/controller.py b/ryu/controller/controller.py >> index 62135339..9198bfb1 100644 >> --- a/ryu/controller/controller.py >> +++ b/ryu/controller/controller.py >> @@ -164,6 +164,10 @@ class OpenFlowController(object): >> client.stop() >> >> def server_loop(self, ofp_tcp_listen_port, ofp_ssl_listen_port): >> + if hasattr(ssl, 'PROTOCOL_TLS'): >> + p = "PROTOCOL_TLS" > It's better to disable SSL in this case. > To do that, SSLContext.wrap_socket should be used in > ryu.lib.hub.StreamServer in order to use OP_NO_SSLv3, IIUC. > >> + else: >> + p = "PROTOCOL_SSLv23" > To prevent SSL v2 or v3 on python <2.7.9, I think this should be > PROTOCOL_TLSv1. > > >> if CONF.ctl_privkey is not None and CONF.ctl_cert is not None: >> if CONF.ca_certs is not None: >> server = StreamServer((CONF.ofp_listen_host, >> @@ -173,14 +177,14 @@ class OpenFlowController(object): >> certfile=CONF.ctl_cert, >> cert_reqs=ssl.CERT_REQUIRED, >> ca_certs=CONF.ca_certs, >> - ssl_version=ssl.PROTOCOL_TLSv1) >> + ssl_version=getattr(ssl, p)) >> else: >> server = StreamServer((CONF.ofp_listen_host, >> ofp_ssl_listen_port), >> datapath_connection_factory, >> keyfile=CONF.ctl_privkey, >> certfile=CONF.ctl_cert, >> - ssl_version=ssl.PROTOCOL_TLSv1) >> + ssl_version=getattr(ssl, p)) >> else: >> server = StreamServer((CONF.ofp_listen_host, >> ofp_tcp_listen_port), >> -- >> 2.16.4 >> >> >> >> _______________________________________________ >> Ryu-devel mailing list >> Ryu-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/ryu-devel >> -- Alexandros Toptsoglou <atoptsog...@suse.com> Security Engineer OpenPGP fingerprint: C270 3848 AA4A 783A 9848 BB06 56A3 3D9C B652 1869 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ryu-devel mailing list Ryu-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ryu-devel
