You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Justin Ross (JIRA)" <ji...@apache.org> on 2018/03/14 03:34:00 UTC

[jira] [Commented] (QPID-6166) [python] Disable SSLv3 support in pure-python client

    [ https://issues.apache.org/jira/browse/QPID-6166?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16398046#comment-16398046 ] 

Justin Ross commented on QPID-6166:
-----------------------------------

I checked on my F26 box and on CentOS 7.  It appears we can do this now.

[root@7d9ac0a8cf05 /]# python                     <-- CentOS 7
Python 2.7.5 (default, Aug 4 2017, 00:39:18) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OP_NO_SSLv3
33554432

> [python] Disable SSLv3 support in pure-python client
> ----------------------------------------------------
>
>                 Key: QPID-6166
>                 URL: https://issues.apache.org/jira/browse/QPID-6166
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>    Affects Versions: 0.30
>            Reporter: Ken Giusti
>            Assignee: Ken Giusti
>            Priority: Major
>             Fix For: qpid-python-1.38.0
>
>
> In light of the padding vulnerability of SSLv3, we should prevent the python client from allowing the SSL handshake to downgrade to SSLv3.
> Unfortunately, the latest release of python 2.7.8 does not give us the ability to disable just the SSLv3 capability.  The next release of python (2.7.9) should allow this according to the documentation:  
> https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv3
> This vulnerability can be disabled merely by eliminating support for SSLv3 on one end of the connection. Given that QPID-6160 will disable SSLv3 on the broker, simply fixing this on the broker side will mitigate the issue.  So until the next version of Python is made available, we should recommend QPID-6160 be adopted as the fix to this problem.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org