[Bug 1904988] [NEW] set defaults to be sslv23 not tlsv1
Hua Zhang
1904988 at bugs.launchpad.net
Fri Nov 20 08:17:06 UTC 2020
Public bug reported:
python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
sslv23
This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I
think we should set defaults to be sslv23 not tlsv1.
python-eventlet=0.19.0-2 started to the same thing as well, but can
xenial users also enjoy these benefits?
BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page
[2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2
connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more
convenient and safer than just having tlsv1_0. and the upstream is also
using sslv23 as well [3].
[1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
[2] https://docs.python.org/2/library/ssl.html#socket-creation
[3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
** Affects: python-eventlet (Ubuntu)
Importance: Undecided
Status: New
** Affects: python-eventlet (Ubuntu Xenial)
Importance: Undecided
Status: New
** Tags: sts
** Tags added: sts
** Description changed:
python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
sslv23
This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I
think we should set defaults to be sslv23 not tlsv1.
python-eventlet=0.19.0-2 started to the same thing as well, but can
xenial users also enjoy these benefits?
BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page
[2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2
connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more
- convenient and safer than just having tlsv1_0
+ convenient and safer than just having tlsv1_0. and the upstream is also
+ using sslv23 as well [3].
[1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
[2] https://docs.python.org/2/library/ssl.html#socket-creation
+ [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
** Also affects: python-eventlet (Ubuntu Xenial)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-eventlet in Ubuntu.
https://bugs.launchpad.net/bugs/1904988
Title:
set defaults to be sslv23 not tlsv1
Status in python-eventlet package in Ubuntu:
New
Status in python-eventlet source package in Xenial:
New
Bug description:
python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
sslv23
This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I
think we should set defaults to be sslv23 not tlsv1.
python-eventlet=0.19.0-2 started to the same thing as well, but can
xenial users also enjoy these benefits?
BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page
[2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2
connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more
convenient and safer than just having tlsv1_0. and the upstream is
also using sslv23 as well [3].
[1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
[2] https://docs.python.org/2/library/ssl.html#socket-creation
[3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list