Sorry, I didn't mean to suggest we should abandon the change/bug, as not
all distros have crypto policy support systemwide.
Rather, that we should
1. make sure the out of the box behaviour is to honour openssl defaults
2. provide a nova.conf setting for the protocol version, which allows an
ordered list of versions to be set by the admin. eg might set something like
vnc_tls_protocol = [ "tls1.3", "tls1.2"]
** Changed in: nova
Status: Invalid => Confirmed
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1771773
Title:
Ssl2/3 should not be used for secure VNC access
Status in OpenStack Compute (nova):
Confirmed
Bug description:
This report is based on Bandit scanner results.
On
https://git.openstack.org/cgit/openstack/nova/tree/nova/console/rfb/authvencrypt.py?h=refs/heads/master#n137
137 wrapped_sock = ssl.wrap_socket(
wrap_socket is used without ssl_version that means SSLv23 by default.
As server part (QEMU) is based on gnutls supporting all modern TLS versions
it is possible to use stricter tls version on the client (TLSv1.2).
Another option is to make this param configurable.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1771773/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
