Bug 1152823
| Summary: | koji hard codes SSLv3 use | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kevin Fenzi <kevin> |
| Component: | koji | Assignee: | Mike McLean <mikem> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | dennis, jonathansteffan, mikem, sbonazzo, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-19 12:13:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1146271 | ||
| Bug Blocks: | |||
|
Description
Kevin Fenzi
2014-10-15 03:17:13 UTC
It's pretty easy to force it to TLSv1:
diff -Nur koji-1.9.0.orig/koji/ssl/SSLCommon.py koji-1.9.0/koji/ssl/SSLCommon.py
--- koji-1.9.0.orig/koji/ssl/SSLCommon.py 2014-03-24 14:41:22.000000000 -0600
+++ koji-1.9.0/koji/ssl/SSLCommon.py 2014-10-14 21:30:05.777752358 -0600
@@ -37,7 +37,7 @@
if f and not os.access(f, os.R_OK):
raise StandardError, "%s does not exist or is not readable" % f
- ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only
+ ctx = SSL.Context(SSL.TLSv1_METHOD) # TLS v1 only
ctx.use_certificate_file(key_and_cert)
ctx.use_privatekey_file(key_and_cert)
ctx.load_client_ca(ca_cert)
@@ -45,7 +45,7 @@
verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
ctx.set_verify(verify, our_verify)
ctx.set_verify_depth(10)
- ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+ ctx.set_options(SSL.OP_NO_SSLv3 | SSL.OP_NO_SSLv2)
return ctx
However, to do 1.1 or 1.2 specifically, we need a newer pyOpenSSL, which was commited, but never built. ;(
Can we push this out? I am seeing some reports that at least in rawhide the crypto-policys package has disabled SSLv3 use, breaking koji clients (see https://fedorahosted.org/rel-eng/ticket/6054) So, we should at least push to rawhide, and I would think just pushing it out to other branches would be nice too. Please use SSLv23_METHOD instead of TLSv1_METHOD. This way the highest available TLS version will be used. For blocking the SSLv2 and 3, the set_options method call is sufficient. That needs the newest pyOpenSSL however right? I don't think so. The SSLv23_METHOD is present in older pyOpenSSL as well. So it is. :) I agree, we should change to SSLv23_METHOD This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22 This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Still an issue on fc23 Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |