[Bug 1904988] Re: [SRU] set defaults to be sslv23 not tlsv1
Mathew Hodson
1904988 at bugs.launchpad.net
Sat Jan 16 22:59:56 UTC 2021
set-defaults-to-be-tlsv1-not-sslv23.patch was dropped by python-eventlet
0.19.0-2 in Ubuntu Yakkety.
** Description changed:
[Impact]
- python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
+ * python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
sslv23
- This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
+ * This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy
the benefit of tlsv1_2 as well.
+
+ * set-defaults-to-be-tlsv1-not-sslv23.patch was already dropped by
+ python-eventlet 0.19.0-2 [1] in Ubuntu Yakkety.
[Test Case]
* Install an SSL based Spice OpenStack test env, and apply this python-
eventlet patch as well onto the nova-cloud-controller units.
* Run the "nmap --script ssl-enum-ciphers -p 6082 <spice-ip>" test and
confirm whether it shows tlsv1_2
[Regression Potential]
xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after
openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so it
just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and safer
than just having tlsv1_0. and the upstream is also using sslv23 as well
[3], and python-eventlet=0.19.0-2 started to the same thing as well.
So no regression is expected.
[1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
[2] https://docs.python.org/2/library/ssl.html#socket-creation
[3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
[Discussion]
The first package upload was missing the bug reference so a second package was uploaded. The first can be rejected.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-eventlet in Ubuntu.
https://bugs.launchpad.net/bugs/1904988
Title:
[SRU] set defaults to be sslv23 not tlsv1
Status in python-eventlet package in Ubuntu:
Fix Released
Status in python-eventlet source package in Xenial:
Triaged
Bug description:
[Impact]
* python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
sslv23
* This will prevent xenial users from using tlsv1_1 and tlsv1_2, so we
should set defaults to be sslv23 not tlsv1 to allow xenial users enjoy
the benefit of tlsv1_2 as well.
* set-defaults-to-be-tlsv1-not-sslv23.patch was already dropped by
python-eventlet 0.19.0-2 [1] in Ubuntu Yakkety.
[Test Case]
* Install an SSL based Spice OpenStack test env, and apply this
python-eventlet patch as well onto the nova-cloud-controller units.
* Run the "nmap --script ssl-enum-ciphers -p 6082 <spice-ip>" test and
confirm whether it shows tlsv1_2
[Regression Potential]
xenial uses openssl=1.0.2g-1ubuntu4.17, so according to page [2] after
openssl 1.0.0 an SSLv23 client would not attempt SSLv2 connections so
it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more convenient and
safer than just having tlsv1_0. and the upstream is also using sslv23
as well [3], and python-eventlet=0.19.0-2 started to the same thing as
well.
So no regression is expected.
[1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
[2] https://docs.python.org/2/library/ssl.html#socket-creation
[3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51
[Discussion]
The first package upload was missing the bug reference so a second package was uploaded. The first can be rejected.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list