[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Robie Basak
1904988 at bugs.launchpad.net
Wed Jan 13 14:50:40 UTC 2021
What's the situation with Bionic, Focal and Groovy please? Do these
already support TLS 1.1 and 1.2? We need to make sure we don't regress
users upgrading up from Xenial.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-eventlet in Ubuntu.
https://bugs.launchpad.net/bugs/1904988
Title:
[SRU] set defaults to be sslv23 not tlsv1
Status in python-eventlet package in Ubuntu:
Fix Released
Status in python-eventlet source package in Xenial:
Triaged
Bug description:
[Impact]
python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
sslv23
This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy
the benefit of tlsv1_2 as well.
[Test Case]
* Install an SSL based Spice OpenStack test env, and apply this
python-eventlet patch as well onto the nova-cloud-controller units.
* Run the "nmap --script ssl-enum-ciphers -p 6082 <spice-ip>" test and
confirm whether it shows tlsv1_2
[Regression Potential]
xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after
openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so
it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and
safer than just having tlsv1_0. and the upstream is also using sslv23
as well [3], and python-eventlet=0.19.0-2 started to the same thing as
well.
So no regression is expected.
[1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
[2] https://docs.python.org/2/library/ssl.html#socket-creation
[3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
[Discussion]
The first package upload was missing the bug reference so a second package was uploaded. The first can be rejected.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list