Re: [sage-devel] About SSLv3 security hole

Jan Groenewald Thu, 04 Dec 2014 23:16:57 -0800

Hi

https://docs.python.org/2.7/library/ssl.html#ssl.OP_NO_SSLv3


says "New in version 2.7.9" and it looks like sage runs 2.7.8 (sage-sh)
root@muizenberg:python2.7$ python --version
Python 2.7.8

Once 2.7.9 is included, I think we can add here, for example:

0 
root@muizenberg:/usr/lib/sagemath/local/lib/python2.7/site-packages/Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet#grep
OP_NO_SSLv2 ssl.py
            ctx.set_options(SSL.OP_NO_SSLv2)
        ctx.set_options(SSL.OP_NO_SSLv2)

Just below those two lines add:
       ctx.set_options(SSL.OP_NO_SSLv3)

I'm not familiar with these files/code, but there are several occurrences:

0 root@muizenberg:/usr/lib/sagemath/local/lib/python2.7/site-packages#grep
-r SSLv23 *
sagenb-0.11.1-py2.7.egg/sagenb/notebook/run_notebook.py:        ssl_context
= SSL.Context(SSL.SSLv23_METHOD)
sagenb-0.11.1-py2.7.egg/sagenb/data/codemirror/contrib/php/js/tokenizephp.js:
"STREAM_CRYPTO_METHOD_SSLv3_CLIENT", "STREAM_CRYPTO_METHOD_SSLv23_CLIENT",
sagenb-0.11.1-py2.7.egg/sagenb/data/codemirror/contrib/php/js/tokenizephp.js:
"STREAM_CRYPTO_METHOD_SSLv3_SERVER", "STREAM_CRYPTO_METHOD_SSLv23_SERVER",
tornado-3.1.1-py2.7.egg/tornado/test/httpserver_test.py:# In pre-1.0
versions of openssl, SSLv23 clients always send SSLv2
tornado-3.1.1-py2.7.egg/tornado/test/httpserver_test.py:# of SSLv23 allows
it.
tornado-3.1.1-py2.7.egg/tornado/test/httpserver_test.py:class
SSLv23Test(BaseSSLTest, SSLTestMixin):
tornado-3.1.1-py2.7.egg/tornado/test/httpserver_test.py:        return
ssl.PROTOCOL_SSLv23
tornado-3.1.1-py2.7.egg/tornado/test/iostream_test.py:        context =
ssl.SSLContext(ssl.PROTOCOL_SSLv23)
tornado-3.1.1-py2.7.egg/tornado/test/iostream_test.py:        context =
ssl.SSLContext(ssl.PROTOCOL_SSLv23)
tornado-3.1.1-py2.7.egg/tornado/netutil.py:
ssl_options.get('ssl_version', ssl.PROTOCOL_SSLv23))
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_ssl.py:        #
SSLv23_METHOD allows SSLv2, SSLv3, or TLSv1
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_ssl.py:
self.assertEqual(self.context._method, SSL.SSLv23_METHOD)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_ssl.py:
self.assertEqual(self.context._method, SSL.SSLv23_METHOD)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
# Presently, SSLv23_METHOD means (SSLv2, SSLv3, TLSv1.0, TLSv1.1,
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
SSL.SSLv23_METHOD: set(ProtocolVersion.iterconstants()),
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
if opts.method == SSL.SSLv23_METHOD:
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
# Exclusions apply only to SSLv23_METHOD and no others.
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
def test_SSLv23(self):
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
C{SSLv23_METHOD} all versions of TLS and SSLv3 are allowed.
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
method=SSL.SSLv23_METHOD)))
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
sslverify._expandCipherString(u'', SSL.SSLv23_METHOD, 0)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
ctx = FakeContext(SSL.SSLv23_METHOD)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
sslverify._expandCipherString, u'ALL', SSL.SSLv23_METHOD, 0
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
ciphers = sslverify._expandCipherString(u'ALL', SSL.SSLv23_METHOD, 0)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/mail/protocols.py:        ctx
= SSL.Context(SSL.SSLv23_METHOD)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/test/test_endpoints.py:
from OpenSSL.SSL import ContextType, SSLv23_METHOD, TLSv1_METHOD
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/test/test_endpoints.py:
self.assertEqual(server._sslContextFactory.method, SSLv23_METHOD)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/test/test_endpoints.py:
self.assertEqual(certOptions.method, SSLv23_METHOD)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/ssl.py:
sslmethod=SSL.SSLv23_METHOD, _contextFactory=SSL.Context):
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/ssl.py:    #
SSLv23_METHOD allows SSLv2, SSLv3, and TLSv1.  We disable SSLv2 below,
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/ssl.py:    method =
SSL.SSLv23_METHOD
Binary file Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/ssl.pyc
matches
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/_sslverify.py:
@param method: The SSL protocol to use, one of SSLv23_METHOD,
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/_sslverify.py:
self.method = SSL.SSLv23_METHOD
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/_sslverify.py:
SSL.SSLv23_METHOD, SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/endpoints.py:
constant in C{OpenSSL.SSL}.  Must be one of: "SSLv23_METHOD",
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/endpoints.py:
kw['method'] = ssl.SSL.SSLv23_METHOD
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/endpoints.py:
method=ssl.SSL.SSLv23_METHOD,
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/web/client.py:
method=SSL.SSLv23_METHOD,
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/topfiles/NEWS:   SSLv23 is
selected, allowing only SSLv3 and TLSv1. (#6337)
Werkzeug-0.9.6-py2.7.egg/werkzeug/serving.py:    ctx =
SSL.Context(SSL.SSLv23_METHOD)
Werkzeug-0.9.6-py2.7.egg/werkzeug/serving.py:    ctx =
SSL.Context(SSL.SSLv23_METHOD)
0 root@muizenberg:/usr/lib/sagemath/local/lib/python2.7/site-packages#grep
-r OP_NO_SSLv2 *
tornado-3.1.1-py2.7.egg/tornado/simple_httpclient.py:            # the
SSL_OP_NO_SSLv2, but that wasn't exposed to python
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_ssl.py:        #
And OP_NO_SSLv2 disables the SSLv2 support.
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_ssl.py:
self.assertTrue(self.context._options & SSL.OP_NO_SSLv2)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_ssl.py:
self.assertTrue(self.context._options & SSL.OP_NO_SSLv2)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
Every context must have C{OP_NO_SSLv2}, C{OP_NO_COMPRESSION}, and
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
options = (SSL.OP_NO_SSLv2 | opts._OP_NO_COMPRESSION |
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/test/test_sslverify.py:
SSL.OP_NO_SSLv2: ProtocolVersion.SSLv2,
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/ssl.py:
ctx.set_options(SSL.OP_NO_SSLv2)
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/ssl.py:
ctx.set_options(SSL.OP_NO_SSLv2)
Binary file Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/ssl.pyc
matches
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/_sslverify.py:
SSL.OP_NO_SSLv2 | self._OP_NO_COMPRESSION |
Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/internet/_sslverify.py:
SSL.SSLv23_METHOD, SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
0 root@muizenberg:/usr/lib/sagemath/local/lib/python2.7/site-packages#

Regards,
Jan


On 4 December 2014 at 16:41, kcrisman <kcris...@gmail.com> wrote:

>
>>
>> Depend on the proper version high enough of openssl and it is fixed for
>> you. (assuming sage server side)
>> On client side your browser, say, firefox34, latest chrome, it is fixed.
>>
>>
> What situation is this for? A server for Tampere university? What version
>> of openssl runs on which OS?
>>
>>
>
> I think Jori is asking about whether Sage itself needs to be patched or
> configured right now.   Is our openssl package high enough?  (This is not
> Heartbleed, something else.)
>
> --
> You received this message because you are subscribed to the Google Groups
> "sage-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sage-devel+unsubscr...@googlegroups.com.
> To post to this group, send email to sage-devel@googlegroups.com.
> Visit this group at http://groups.google.com/group/sage-devel.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
  .~.
  /V\     Jan Groenewald
 /( )\    www.aims.ac.za
 ^^-^^

-- 
You received this message because you are subscribed to the Google Groups 
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-devel+unsubscr...@googlegroups.com.
To post to this group, send email to sage-devel@googlegroups.com.
Visit this group at http://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/d/optout.

Re: [sage-devel] About SSLv3 security hole

Reply via email to