On 23 November 2014 at 11:01, Jeremy Stanley <fu...@yuggoth.org> wrote: > On 2014-11-22 19:45:09 +1300 (+1300), Robert Collins wrote: >> Given the persistent risks of downgrade attacks, I think this does >> actually qualify as a security issue: not that its breaking, but >> that SSLv3 is advertised and accepted anywhere. > > Which downgrade attacks? Outside of Web browser authors deciding it > was a good idea to bypass the normal TLS negotiation mechanism, as > long as both ends _support_ TLS then causing a downgrade within TLS > version negotiation to SSLv3 or earlier should not be possible. If
Thats my understanding too; while this code is targeted for kombu use, I remain paranoid. > you're suggesting we strengthen against unknown future attacks, > that's a fine idea and is something we call "security hardening" > (not a vulnerability fix). Fair enough. > My point is that suggesting there's a vulnerability here without > looking at how the code is used is sort of like shouting "fire" in a > crowded theater. Point taken. Sorry :) -Rob -- Robert Collins <rbtcoll...@hp.com> Distinguished Technologist HP Converged Cloud _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
