RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1178131 - SSL supports only broken crypto
Summary: SSL supports only broken crypto
Keywords:
Status: CLOSED EOL
Alias: None
Product: RDO
Classification: Community
Component: distribution
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: Juno
Assignee: Nathan Kinder
QA Contact: Shai Revivo
URL:
Whiteboard:
Depends On:
Blocks: 1178133
TreeView+ depends on / blocked
 
Reported: 2015-01-02 14:10 UTC by Lukas Bezdicka
Modified: 2016-05-19 15:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1178133 (view as bug list)
Environment:
Last Closed: 2016-05-19 15:35:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Lukas Bezdicka 2015-01-02 14:10:51 UTC 
Description of problem:
openstack uses common copy pasted SSL support which can be seen:
https://github.com/openstack/nova/blob/master/nova/openstack/common/sslutils.py

This code allows only SSLv3 or TLSv1 which are both broken. python actually has support for TLSv1.2 which should be proffered but only from version 2.7.9 which we don't have in Centos or RHEL - python-2.7.5-16.el7.x86_64

rabbitmq dropped support for broken crypto and now we get:
nova:
AMQP server on 192.168.122.59:5671 is unreachable: [Errno 1] _ssl.c:504: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version. Trying again in 30 seconds.

rabbit:
=ERROR REPORT==== 2-Jan-2015::09:09:57 ===
error on AMQP connection <0.1322.0>: {ssl_upgrade_error,
                                      {tls_alert,"protocol version"}} (unknown POSIX error)
Comment 3 Chandan Kumar 2016-05-19 15:35:36 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.
Note You need to log in before you can comment on or make changes to this bug.