Browse Source

Remove the use of PROTOCOL_SSLv3

The PROTOCOL_SSLv3 should not be used, as it can be exploited with
a protocol downgrade attack. Also, its support has been removed in
Debian, so it simply doesn't work at all now in Sid.

This patch removes PROTOCOL_SSLv3 from one of the possible protocols
used by oslo.messaging.

Closes-Bug: #1395095
Change-Id: I2c1977c3bfc1923bcb03744e909f2e70c7fdb14c
changes/78/136278/2
Thomas Goirand 7 years ago
committed by Brant Knudson
parent
commit
42f55a1dda
  1. 12
      oslo/messaging/_drivers/impl_rabbit.py

12
oslo/messaging/_drivers/impl_rabbit.py

@ -41,8 +41,8 @@ rabbit_opts = [
cfg.StrOpt('kombu_ssl_version',
default='',
help='SSL version to use (valid only if SSL enabled). '
'valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may '
'be available on some distributions.'
'valid values are TLSv1 and SSLv23. SSLv2 and '
'SSLv3 may be available on some distributions.'
),
cfg.StrOpt('kombu_ssl_keyfile',
default='',
@ -496,8 +496,7 @@ class Connection(object):
# FIXME(markmc): use oslo sslutils when it is available as a library
_SSL_PROTOCOLS = {
"tlsv1": ssl.PROTOCOL_TLSv1,
"sslv23": ssl.PROTOCOL_SSLv23,
"sslv3": ssl.PROTOCOL_SSLv3
"sslv23": ssl.PROTOCOL_SSLv23
}
try:
@ -505,6 +504,11 @@ class Connection(object):
except AttributeError:
pass
try:
_SSL_PROTOCOLS["sslv3"] = ssl.PROTOCOL_SSLv3
except AttributeError:
pass
@classmethod
def validate_ssl_version(cls, version):
key = version.lower()

Loading…
Cancel
Save