[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1

[Hua Zhang]

** Description changed:

+ [Impact]
+ 
  python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
  defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
  sslv23
  
- This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I
- think we should set defaults to be sslv23 not tlsv1.
+ This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
+ should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy
+ the benefit of tlsv1_2 as well.
  
- python-eventlet=0.19.0-2 started to the same thing as well, but can
- xenial users also enjoy these benefits?
+ [Test Case]
  
- BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page
- [2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2
- connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more
- convenient and safer than just having tlsv1_0. and the upstream is also
- using sslv23 as well [3].
+ * Install an SSL based Spice OpenStack test env, and apply this python-
+ eventlet patch as well onto the nova-cloud-controller units.
+ 
+ * Run the "nmap --script ssl-enum-ciphers -p 6082 <spice-ip>" test and
+ confirm whether it shows tlsv1_2
+ 
+ [Regression Potential]
+ 
+ xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after
+ openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it
+ just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer
+ than just having tlsv1_0. and the upstream is also using sslv23 as well
+ [3], and python-eventlet=0.19.0-2 started to the same thing as well.
+ 
+ So no regression is expected.
  
  [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
  [2] https://docs.python.org/2/library/ssl.html#socket-creation
  [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51

** Patch added: "xenial.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+attachment/5440544/+files/xenial.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-eventlet in Ubuntu.
https://bugs.launchpad.net/bugs/1904988

Title:
  [SRU] set defaults to be sslv23 not tlsv1

Status in python-eventlet package in Ubuntu:
  New
Status in python-eventlet source package in Xenial:
  New

Bug description:
  [Impact]

  python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
  defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
  sslv23

  This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
  should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy
  the benefit of tlsv1_2 as well.

  [Test Case]

  * Install an SSL based Spice OpenStack test env, and apply this
  python-eventlet patch as well onto the nova-cloud-controller units.

  * Run the "nmap --script ssl-enum-ciphers -p 6082 <spice-ip>" test and
  confirm whether it shows tlsv1_2

  [Regression Potential]

  xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after
  openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so
  it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and
  safer than just having tlsv1_0. and the upstream is also using sslv23
  as well [3], and python-eventlet=0.19.0-2 started to the same thing as
  well.

  So no regression is expected.

  [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
  [2] https://docs.python.org/2/library/ssl.html#socket-creation
  [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions