** Description changed: + [Impact] + python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set- defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not sslv23 - This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I - think we should set defaults to be sslv23 not tlsv1. + This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we + should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy + the benefit of tlsv1_2 as well. - python-eventlet=0.19.0-2 started to the same thing as well, but can - xenial users also enjoy these benefits? + [Test Case] - BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page - [2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2 - connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more - convenient and safer than just having tlsv1_0. and the upstream is also - using sslv23 as well [3]. + * Install an SSL based Spice OpenStack test env, and apply this python- + eventlet patch as well onto the nova-cloud-controller units. + + * Run the "nmap --script ssl-enum-ciphers -p 6082 <spice-ip>" test and + confirm whether it shows tlsv1_2 + + [Regression Potential] + + xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after + openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it + just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer + than just having tlsv1_0. and the upstream is also using sslv23 as well + [3], and python-eventlet=0.19.0-2 started to the same thing as well. + + So no regression is expected. [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2 [2] https://docs.python.org/2/library/ssl.html#socket-creation [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
** Patch added: "xenial.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+attachment/5440544/+files/xenial.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904988 Title: [SRU] set defaults to be sslv23 not tlsv1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
