[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
This bug was fixed in the package python-eventlet - 0.18.4-1ubuntu2 --- python-eventlet (0.18.4-1ubuntu2) xenial; urgency=medium * d/p/set-defaults-to-be-tlsv1-not-sslv23.patch: Dropped. This patches was setting TLSv1 protocol as only allowed and don't allowed TLS 1.1 + 1.2. Eventlet wrapper should not change SSL settings, users should use ssl.create_default_context for better/safe defaults (LP: #1904988). -- Zhang Hua Fri, 20 Nov 2020 13:29:19 +0800 ** Changed in: python-eventlet (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Sucessfully verify python-eventlet in xenial-proposed. echo 'deb http://archive.ubuntu.com/ubuntu/ xenial-proposed restricted main multiverse universe' |sudo tee -a /etc/apt/sources.list sudo apt update sudo apt-get install python-eventlet/xenial-proposed sudo systemctl restart nova-novncproxy I can see TLSv1.2 $ nova get-vnc-console bionic-032738 novnc +---+--+ | Type | Url | +---+--+ | novnc | https://10.5.1.161:6080/vnc_auto.html?token=7070e450-7a82-4d7c-bdb2-9fd8e2341ef5 | +---+--+ $ nmap --script ssl-enum-ciphers -p 6080 10.5.1.161 |grep -i tlsv1.2 | TLSv1.2: and I can run curl with --tlsv1.2 sucessfully. curl -k -vvv https://10.5.1.161:6080/vnc_auto.html?token=7070e450-7a82 -4d7c-bdb2-9fd8e2341ef5 --tlsv1.2 ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Thanks Marc! Unsubscribed ~ubuntu-sponsors. For SRU verification, would checking that eventlet can correctly connect to each the various protocol versions be appropriate? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Hello Hua, or anyone else affected, Accepted python-eventlet into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python- eventlet/0.18.4-1ubuntu2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: python-eventlet (Ubuntu Xenial) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
ACK from the security team on the change suggested by comment #1. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Hey @Robie, TLS 1.2 has already been supported in Bionic, Focal, Groovy because as Mathew said 'set-defaults-to-be-tlsv1-not-sslv23.patch was dropped by python-eventlet 0.19.0-2 in Ubuntu Yakkety.' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
python-eventlet (0.19.0-2) experimental; urgency=medium [ Ondřej Nový ] * d/{control,copyright}: Use my @debian.org email address * d/p/use-packaged-python-mock-rather-than-embedded.patch: Rebased and fixed for new release * Dropped - d/p/enforce-tlsv1-always.patch - d/p/set-defaults-to-be-tlsv1-not-sslv23.patch This patches was setting TLSv1 protocol as only allowed and don't allowed TLS 1.1 + 1.2. Eventlet wrapper should not change SSL settings, users should use ssl.create_default_context for better/safe defaults. [...] -- Ondřej Nový Fri, 12 Aug 2016 11:13:34 +0200 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
set-defaults-to-be-tlsv1-not-sslv23.patch was dropped by python-eventlet 0.19.0-2 in Ubuntu Yakkety. ** Description changed: [Impact] - python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set- + * python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set- defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not sslv23 - This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we + * This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy the benefit of tlsv1_2 as well. + + * set-defaults-to-be-tlsv1-not-sslv23.patch was already dropped by + python-eventlet 0.19.0-2 [1] in Ubuntu Yakkety. [Test Case] * Install an SSL based Spice OpenStack test env, and apply this python- eventlet patch as well onto the nova-cloud-controller units. * Run the "nmap --script ssl-enum-ciphers -p 6082 " test and confirm whether it shows tlsv1_2 [Regression Potential] xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer than just having tlsv1_0. and the upstream is also using sslv23 as well [3], and python-eventlet=0.19.0-2 started to the same thing as well. So no regression is expected. [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2 [2] https://docs.python.org/2/library/ssl.html#socket-creation [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51 [Discussion] The first package upload was missing the bug reference so a second package was uploaded. The first can be rejected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
What's the situation with Bionic, Focal and Groovy please? Do these already support TLS 1.1 and 1.2? We need to make sure we don't regress users upgrading up from Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Thanks Hua. This has been uploaded to the xenial unapproved queue. https://launchpad.net/ubuntu/xenial/+queue?queue_state=1_text =python-eventlet ** Changed in: python-eventlet (Ubuntu Xenial) Status: New => Triaged ** Description changed: [Impact] python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set- defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not sslv23 This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy the benefit of tlsv1_2 as well. [Test Case] * Install an SSL based Spice OpenStack test env, and apply this python- eventlet patch as well onto the nova-cloud-controller units. * Run the "nmap --script ssl-enum-ciphers -p 6082 " test and confirm whether it shows tlsv1_2 [Regression Potential] xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer than just having tlsv1_0. and the upstream is also using sslv23 as well [3], and python-eventlet=0.19.0-2 started to the same thing as well. So no regression is expected. [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2 [2] https://docs.python.org/2/library/ssl.html#socket-creation [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51 + + [Discussion] + The first package upload was missing the bug reference so a second package was uploaded. The first can be rejected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Hi Drew, yeah, you're right, it works for both novnc and spice. because both novnc and spice depends on websockify then websockify depends on python-eventlet's ssl -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Will this fix also address TLS1.2 enablement on novnc console proxies as well, or is it only valid for Spice consoles? I'm assuming since it's a websockify update, it should work for both. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
** Changed in: python-eventlet (Ubuntu) Status: New => Fix Released ** Changed in: python-eventlet (Ubuntu) Importance: Undecided => High ** Changed in: python-eventlet (Ubuntu Xenial) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
The attachment "xenial.debdiff" seems to be a debdiff. The ubuntu- sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
** Description changed: + [Impact] + python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set- defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not sslv23 - This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I - think we should set defaults to be sslv23 not tlsv1. + This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we + should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy + the benefit of tlsv1_2 as well. - python-eventlet=0.19.0-2 started to the same thing as well, but can - xenial users also enjoy these benefits? + [Test Case] - BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page - [2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2 - connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more - convenient and safer than just having tlsv1_0. and the upstream is also - using sslv23 as well [3]. + * Install an SSL based Spice OpenStack test env, and apply this python- + eventlet patch as well onto the nova-cloud-controller units. + + * Run the "nmap --script ssl-enum-ciphers -p 6082 " test and + confirm whether it shows tlsv1_2 + + [Regression Potential] + + xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after + openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it + just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer + than just having tlsv1_0. and the upstream is also using sslv23 as well + [3], and python-eventlet=0.19.0-2 started to the same thing as well. + + So no regression is expected. [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2 [2] https://docs.python.org/2/library/ssl.html#socket-creation [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51 ** Patch added: "xenial.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+attachment/5440544/+files/xenial.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
** Summary changed: - set defaults to be sslv23 not tlsv1 + [SRU] set defaults to be sslv23 not tlsv1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs