[QPID-6166] [python] Disable SSLv3 support in pure-python client - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 0.30
Fix Version/s: qpid-python-1.38.0
Component/s: Python Client
Labels:
None

Description

In light of the padding vulnerability of SSLv3, we should prevent the python client from allowing the SSL handshake to downgrade to SSLv3.

Unfortunately, the latest release of python 2.7.8 does not give us the ability to disable just the SSLv3 capability. The next release of python (2.7.9) should allow this according to the documentation:

https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv3

This vulnerability can be disabled merely by eliminating support for SSLv3 on one end of the connection. Given that ~~QPID-6160~~ will disable SSLv3 on the broker, simply fixing this on the broker side will mitigate the issue. So until the next version of Python is made available, we should recommend ~~QPID-6160~~ be adopted as the fix to this problem.

Attachments

Activity

People

Assignee:: Ken Giusti

Reporter:: Ken Giusti

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/Oct/14 19:35

Updated:: 14/Mar/18 03:33