[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Mathew Hodson]

** Tags removed: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Launchpad Bug Tracker]

This bug was fixed in the package python-eventlet - 0.18.4-1ubuntu2

---
python-eventlet (0.18.4-1ubuntu2) xenial; urgency=medium

  * d/p/set-defaults-to-be-tlsv1-not-sslv23.patch: Dropped.
This patches was setting TLSv1 protocol as only allowed and don't
allowed TLS 1.1 + 1.2. Eventlet wrapper should not change SSL settings,
users should use ssl.create_default_context for better/safe defaults
(LP: #1904988).

 -- Zhang Hua   Fri, 20 Nov 2020 13:29:19
+0800

** Changed in: python-eventlet (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Hua Zhang]

Sucessfully verify python-eventlet in xenial-proposed.

echo 'deb http://archive.ubuntu.com/ubuntu/ xenial-proposed restricted main 
multiverse universe' |sudo tee -a /etc/apt/sources.list
sudo apt update
sudo apt-get install python-eventlet/xenial-proposed
sudo systemctl restart nova-novncproxy

I can see TLSv1.2

$ nova get-vnc-console bionic-032738 novnc
+---+--+
| Type  | Url   
   |
+---+--+
| novnc | 
https://10.5.1.161:6080/vnc_auto.html?token=7070e450-7a82-4d7c-bdb2-9fd8e2341ef5
 |
+---+--+

$ nmap --script ssl-enum-ciphers -p 6080 10.5.1.161 |grep -i tlsv1.2
|   TLSv1.2: 

and I can run curl with --tlsv1.2 sucessfully.

curl -k -vvv https://10.5.1.161:6080/vnc_auto.html?token=7070e450-7a82
-4d7c-bdb2-9fd8e2341ef5 --tlsv1.2


** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Robie Basak]

Thanks Marc!

Unsubscribed ~ubuntu-sponsors.

For SRU verification, would checking that eventlet can correctly connect
to each the various protocol versions be appropriate?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Robie Basak]

Hello Hua, or anyone else affected,

Accepted python-eventlet into xenial-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/python-
eventlet/0.18.4-1ubuntu2 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
xenial to verification-done-xenial. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-xenial. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: python-eventlet (Ubuntu Xenial)
   Status: Triaged => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Marc Deslauriers]

ACK from the security team on the change suggested by comment #1.
Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Hua Zhang]

Hey @Robie, TLS 1.2 has already been supported in Bionic, Focal, Groovy
because as Mathew said 'set-defaults-to-be-tlsv1-not-sslv23.patch was
dropped by python-eventlet 0.19.0-2 in Ubuntu Yakkety.'

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Mathew Hodson]

python-eventlet (0.19.0-2) experimental; urgency=medium

  [ Ondřej Nový ]
  * d/{control,copyright}: Use my @debian.org email address
  * d/p/use-packaged-python-mock-rather-than-embedded.patch:
Rebased and fixed for new release
  * Dropped
- d/p/enforce-tlsv1-always.patch
- d/p/set-defaults-to-be-tlsv1-not-sslv23.patch
This patches was setting TLSv1 protocol as only allowed and don't
allowed TLS 1.1 + 1.2. Eventlet wrapper should not change SSL settings,
users should use ssl.create_default_context for better/safe defaults.

[...]

 -- Ondřej Nový   Fri, 12 Aug 2016 11:13:34 +0200

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Mathew Hodson]

set-defaults-to-be-tlsv1-not-sslv23.patch was dropped by python-eventlet
0.19.0-2 in Ubuntu Yakkety.

** Description changed:

  [Impact]
  
- python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
+ * python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
  defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
  sslv23
  
- This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
+ * This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
  should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy
  the benefit of tlsv1_2 as well.
+ 
+ * set-defaults-to-be-tlsv1-not-sslv23.patch was already dropped by
+ python-eventlet 0.19.0-2 [1] in Ubuntu Yakkety.
  
  [Test Case]
  
  * Install an SSL based Spice OpenStack test env, and apply this python-
  eventlet patch as well onto the nova-cloud-controller units.
  
  * Run the "nmap --script ssl-enum-ciphers -p 6082 " test and
  confirm whether it shows tlsv1_2
  
  [Regression Potential]
  
  xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after
  openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it
  just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer
  than just having tlsv1_0. and the upstream is also using sslv23 as well
  [3], and python-eventlet=0.19.0-2 started to the same thing as well.
  
  So no regression is expected.
  
  [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
  [2] https://docs.python.org/2/library/ssl.html#socket-creation
  [3] 
https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
  
  [Discussion]
  The first package upload was missing the bug reference so a second package 
was uploaded. The first can be rejected.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Robie Basak]

What's the situation with Bionic, Focal and Groovy please? Do these
already support TLS 1.1 and 1.2? We need to make sure we don't regress
users upgrading up from Xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Corey Bryant]

Thanks Hua. This has been uploaded to the xenial unapproved queue.

https://launchpad.net/ubuntu/xenial/+queue?queue_state=1_text
=python-eventlet

** Changed in: python-eventlet (Ubuntu Xenial)
   Status: New => Triaged

** Description changed:

  [Impact]
  
  python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
  defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
  sslv23
  
  This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
  should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy
  the benefit of tlsv1_2 as well.
  
  [Test Case]
  
  * Install an SSL based Spice OpenStack test env, and apply this python-
  eventlet patch as well onto the nova-cloud-controller units.
  
  * Run the "nmap --script ssl-enum-ciphers -p 6082 " test and
  confirm whether it shows tlsv1_2
  
  [Regression Potential]
  
  xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after
  openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it
  just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer
  than just having tlsv1_0. and the upstream is also using sslv23 as well
  [3], and python-eventlet=0.19.0-2 started to the same thing as well.
  
  So no regression is expected.
  
  [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
  [2] https://docs.python.org/2/library/ssl.html#socket-creation
  [3] 
https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
+ 
+ [Discussion]
+ The first package upload was missing the bug reference so a second package 
was uploaded. The first can be rejected.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Hua Zhang]

Hi Drew, yeah, you're right, it works for both novnc and spice. because
both novnc and spice depends on websockify then websockify depends on
python-eventlet's ssl

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Drew Freiberger]

Will this fix also address TLS1.2 enablement on novnc console proxies as
well, or is it only valid for Spice consoles?  I'm assuming since it's a
websockify update, it should work for both.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Mathew Hodson]

** Changed in: python-eventlet (Ubuntu)
   Status: New => Fix Released

** Changed in: python-eventlet (Ubuntu)
   Importance: Undecided => High

** Changed in: python-eventlet (Ubuntu Xenial)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Ubuntu Foundations Team Bug Bot]

The attachment "xenial.debdiff" seems to be a debdiff.  The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff.  If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Hua Zhang]

** Description changed:

+ [Impact]
+ 
  python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
  defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
  sslv23
  
- This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I
- think we should set defaults to be sslv23 not tlsv1.
+ This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
+ should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy
+ the benefit of tlsv1_2 as well.
  
- python-eventlet=0.19.0-2 started to the same thing as well, but can
- xenial users also enjoy these benefits?
+ [Test Case]
  
- BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page
- [2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2
- connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more
- convenient and safer than just having tlsv1_0. and the upstream is also
- using sslv23 as well [3].
+ * Install an SSL based Spice OpenStack test env, and apply this python-
+ eventlet patch as well onto the nova-cloud-controller units.
+ 
+ * Run the "nmap --script ssl-enum-ciphers -p 6082 " test and
+ confirm whether it shows tlsv1_2
+ 
+ [Regression Potential]
+ 
+ xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after
+ openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it
+ just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer
+ than just having tlsv1_0. and the upstream is also using sslv23 as well
+ [3], and python-eventlet=0.19.0-2 started to the same thing as well.
+ 
+ So no regression is expected.
  
  [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
  [2] https://docs.python.org/2/library/ssl.html#socket-creation
  [3] 
https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51

** Patch added: "xenial.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+attachment/5440544/+files/xenial.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Hua Zhang]

** Summary changed:

- set defaults to be sslv23 not tlsv1
+ [SRU] set defaults to be sslv23 not tlsv1

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs