On Thu, 24 Jan 2019 17:26:02 +0900,
alex wrote:
>
> [1 <multipart/signed (7bit)>]
> [1.1 Re: [Ryu-devel] [PATCH] Choose the highest TLS version <multipart/mixed
> (7bit)>]
> [1.1.1 <text/plain; utf-8 (quoted-printable)>]
> Hi IWAMOTO,
>
> Currently I am quite busy. When I will have some spare time I will come
> back to you, with a more complete implementation,along with comments so
> that we stand on the same ground.
>
> With a quick look at ssl/tls python documentation, you are right. There
> are cases that the attacker can initiate a downgrade attack and thus
> chooses a protocol version even bellow TLSv1(which btw it is also an
> unsafe protocol choice[1]; TLS 1.2 and above are considered safe).
It has been on my TODO list a while. Thanks for working on this.
IMO we need to make some decision on compatibily and security.
The below is some my untested code. Use this (or don't) as you wish.
Signed-off-by: IWAMOTO Toshihiro <iwam...@valinux.co.jp>
diff --git a/ryu/lib/hub.py b/ryu/lib/hub.py
index bd15fc89..f239101a 100644
--- a/ryu/lib/hub.py
+++ b/ryu/lib/hub.py
@@ -126,9 +126,17 @@ if HUB_TYPE == 'eventlet':
self.server = eventlet.listen(listen_info)
if ssl_args:
- def wrap_and_handle(sock, addr):
- ssl_args.setdefault('server_side', True)
- handle(ssl.wrap_socket(sock, **ssl_args), addr)
+ if getattr(ssl, 'SSLContext', None):
+ def wrap_and_handle(sock, addr):
+ sslcontext =
ssl.SSLContext(ssl_args.pop('ssl_version'))
+ sslcontext.options |= getattr(ssl, 'OP_NO_SSLv2', 0)
+ sslcontext.options |= getattr(ssl, 'OP_NO_SSLv3', 0)
+ ssl_args.setdefault('server_side', True)
+ handle(sslcontext.wrap_socket(sock, **ssl_args), addr)
+ else:
+ def wrap_and_handle(sock, addr):
+ ssl_args.setdefault('server_side', True)
+ handle(ssl.wrap_socket(sock, **ssl_args), addr)
self.handle = wrap_and_handle
else:
> [1] https://techblog.topdesk.com/security/developers-need-know-tls-1-0/
>
> On 1/24/19 5:17 AM, IWAMOTO Toshihiro wrote:
> > Thanks.
> > I researched the ssl module changes, but it's a bit confusing to me.
> >
> >
> > On Thu, 24 Jan 2019 02:53:56 +0900,
> > alex wrote:
> >> Signed-off-by: alex <atoptsog...@suse.com>
> >> ---
> >> ryu/controller/controller.py | 8 ++++++--
> >> 1 file changed, 6 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/ryu/controller/controller.py b/ryu/controller/controller.py
> >> index 62135339..9198bfb1 100644
> >> --- a/ryu/controller/controller.py
> >> +++ b/ryu/controller/controller.py
> >> @@ -164,6 +164,10 @@ class OpenFlowController(object):
> >> client.stop()
> >>
> >> def server_loop(self, ofp_tcp_listen_port, ofp_ssl_listen_port):
> >> + if hasattr(ssl, 'PROTOCOL_TLS'):
> >> + p = "PROTOCOL_TLS"
> > It's better to disable SSL in this case.
> > To do that, SSLContext.wrap_socket should be used in
> > ryu.lib.hub.StreamServer in order to use OP_NO_SSLv3, IIUC.
> >
> >> + else:
> >> + p = "PROTOCOL_SSLv23"
> > To prevent SSL v2 or v3 on python <2.7.9, I think this should be
> > PROTOCOL_TLSv1.
> >
> >
> >> if CONF.ctl_privkey is not None and CONF.ctl_cert is not None:
> >> if CONF.ca_certs is not None:
> >> server = StreamServer((CONF.ofp_listen_host,
> >> @@ -173,14 +177,14 @@ class OpenFlowController(object):
> >> certfile=CONF.ctl_cert,
> >> cert_reqs=ssl.CERT_REQUIRED,
> >> ca_certs=CONF.ca_certs,
> >> - ssl_version=ssl.PROTOCOL_TLSv1)
> >> + ssl_version=getattr(ssl, p))
> >> else:
> >> server = StreamServer((CONF.ofp_listen_host,
> >> ofp_ssl_listen_port),
> >> datapath_connection_factory,
> >> keyfile=CONF.ctl_privkey,
> >> certfile=CONF.ctl_cert,
> >> - ssl_version=ssl.PROTOCOL_TLSv1)
> >> + ssl_version=getattr(ssl, p))
> >> else:
> >> server = StreamServer((CONF.ofp_listen_host,
> >> ofp_tcp_listen_port),
> >> --
> >> 2.16.4
> >>
> >>
> >>
> >> _______________________________________________
> >> Ryu-devel mailing list
> >> Ryu-devel@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/ryu-devel
> >>
> --
> Alexandros Toptsoglou <atoptsog...@suse.com>
> Security Engineer
> OpenPGP fingerprint: C270 3848 AA4A 783A 9848 BB06 56A3 3D9C B652 1869
>
> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard,
> Graham Norton, HRB 21284 (AG Nürnberg)
>
>
> [1.2 OpenPGP digital signature <application/pgp-signature (7bit)>]
> No public key for 56A33D9CB6521869 created at 2019-01-24T17:26:02+0900 using
> RSA
> [2 <text/plain; us-ascii (7bit)>]
>
> [3 <text/plain; us-ascii (7bit)>]
> _______________________________________________
> Ryu-devel mailing list
> Ryu-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ryu-devel
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel
