> On Nov 22, 2014, at 1:45 AM, Robert Collins <robe...@robertcollins.net> wrote: > > On 22 November 2014 08:11, Jeremy Stanley <fu...@yuggoth.org> wrote: >> On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote: >>> Death to SSLv3 IMO. >> >> Sure, we should avoid releasing new versions of things which assume >> SSLv3 support is present in underlying libraries/platforms (it's >> unclear to me why anyone even thought it was good to make that >> configurable to this degree in openstack-common, but it probably >> dates back to before the nova common split). But what we're talking >> about here is fixing a deployability/usability bug where the >> software is assuming the presence of something removed from a >> dependency on some platform. I'd rather not conflate it with >> knee-jerk "SSLv3 Bad" rhetoric which risks giving casual readers the >> impression there's some vulnerability here. >> >> Ceasing to assume the presence of SSLv3 support is a safe choice for >> the software in question. Forcing changes to stable branches for >> this should be taken on its merits as a normal bug, and not >> prioritized because of any perceived security impact. > > Given the persistent risks of downgrade attacks, I think this does > actually qualify as a security issue: not that its breaking,but that > SSLv3 is advertised and accepted anywhere. > > The lines two lower: > try: > _SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2 > except AttributeError: > pass > > Are even more concerning! > > That said, code like: > https://github.com/mpaladin/python-amqpclt/blob/master/amqpclt/kombu.py#L101 > > is truely egregious! > > :) >
Yes this. SSLv3 isn’t a “Well as long as you have newer things enabled it’s fine” it’s a “If you have this enabled at all it’s a problem”. As far as I am aware without TLS_FALLBACK_SCSV a MITM who is willing to do active attacks can force the connection over to the lowest protocol that a client and server support. There is no way for the server to verify that the message sent from the client that indicates their highest was not modified in transit. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
