For authentication the koji client uses only SSLv3: /usr/lib/python2.7/site-packages/koji/ssl/SSLCommon.py: ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only SSLv3 is now known to be breakable and connections using it could be decrypted. Please switch to TLSv1.2 if possible.
It's pretty easy to force it to TLSv1: diff -Nur koji-1.9.0.orig/koji/ssl/SSLCommon.py koji-1.9.0/koji/ssl/SSLCommon.py --- koji-1.9.0.orig/koji/ssl/SSLCommon.py 2014-03-24 14:41:22.000000000 -0600 +++ koji-1.9.0/koji/ssl/SSLCommon.py 2014-10-14 21:30:05.777752358 -0600 @@ -37,7 +37,7 @@ if f and not os.access(f, os.R_OK): raise StandardError, "%s does not exist or is not readable" % f - ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only + ctx = SSL.Context(SSL.TLSv1_METHOD) # TLS v1 only ctx.use_certificate_file(key_and_cert) ctx.use_privatekey_file(key_and_cert) ctx.load_client_ca(ca_cert) @@ -45,7 +45,7 @@ verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT ctx.set_verify(verify, our_verify) ctx.set_verify_depth(10) - ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1) + ctx.set_options(SSL.OP_NO_SSLv3 | SSL.OP_NO_SSLv2) return ctx However, to do 1.1 or 1.2 specifically, we need a newer pyOpenSSL, which was commited, but never built. ;(
Can we push this out? I am seeing some reports that at least in rawhide the crypto-policys package has disabled SSLv3 use, breaking koji clients (see https://fedorahosted.org/rel-eng/ticket/6054) So, we should at least push to rawhide, and I would think just pushing it out to other branches would be nice too.
Please use SSLv23_METHOD instead of TLSv1_METHOD. This way the highest available TLS version will be used. For blocking the SSLv2 and 3, the set_options method call is sufficient.
That needs the newest pyOpenSSL however right?
I don't think so. The SSLv23_METHOD is present in older pyOpenSSL as well.
So it is. :) I agree, we should change to SSLv23_METHOD
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Still an issue on fc23
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.