Remove the use of PROTOCOL_SSLv3

The PROTOCOL_SSLv3 should not be used, as it can be exploited with a protocol downgrade attack. Also, its support has been removed in Debian, so it simply doesn't work at all now in Sid. This patch removes PROTOCOL_SSLv3 from one of the possible protocols used by oslo.messaging. Closes-Bug: #1395095 Change-Id: I2c1977c3bfc1923bcb03744e909f2e70c7fdb14c
2014-11-21 17:40:46 +08:00 · 2014-11-21 17:40:46 +08:00 · 42f55a1dda
commit 42f55a1dda
parent 0650bde775
1 changed files with 8 additions and 4 deletions
--- a/oslo/messaging/_drivers/impl_rabbit.py
+++ b/oslo/messaging/_drivers/impl_rabbit.py
@ -41,8 +41,8 @@ rabbit_opts = [
    cfg.StrOpt('kombu_ssl_version',
               default='',
               help='SSL version to use (valid only if SSL enabled). '
-                    'valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may '
-                    'be available on some distributions.'
+                    'valid values are TLSv1 and SSLv23. SSLv2 and '
+                    'SSLv3 may be available on some distributions.'
               ),
    cfg.StrOpt('kombu_ssl_keyfile',
               default='',
@ -496,8 +496,7 @@ class Connection(object):
    # FIXME(markmc): use oslo sslutils when it is available as a library
    _SSL_PROTOCOLS = {
        "tlsv1": ssl.PROTOCOL_TLSv1,
-        "sslv23": ssl.PROTOCOL_SSLv23,
-        "sslv3": ssl.PROTOCOL_SSLv3
+        "sslv23": ssl.PROTOCOL_SSLv23
    }

    try:
@ -505,6 +504,11 @@ class Connection(object):
    except AttributeError:
        pass

+    try:
+        _SSL_PROTOCOLS["sslv3"] = ssl.PROTOCOL_SSLv3
+    except AttributeError:
+        pass
+
    @classmethod
    def validate_ssl_version(cls, version):
        key = version.lower()