group.of.nepali.translators team mailing list archive

[Hua Zhang <1904988@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
sslv23

This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I
think we should set defaults to be sslv23 not tlsv1.

python-eventlet=0.19.0-2 started to the same thing as well, but can
xenial users also enjoy these benefits?

BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page
[2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2
connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more
convenient and safer than just having tlsv1_0. and the upstream is also
using sslv23 as well [3].

[1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
[2] https://docs.python.org/2/library/ssl.html#socket-creation
[3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51

** Affects: python-eventlet (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: python-eventlet (Ubuntu Xenial)
     Importance: Undecided
         Status: New


** Tags: sts

** Tags added: sts

** Description changed:

  python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
  defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
  sslv23
  
  This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I
  think we should set defaults to be sslv23 not tlsv1.
  
  python-eventlet=0.19.0-2 started to the same thing as well, but can
  xenial users also enjoy these benefits?
  
  BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page
  [2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2
  connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more
- convenient and safer than just having tlsv1_0
+ convenient and safer than just having tlsv1_0. and the upstream is also
+ using sslv23 as well [3].
  
  [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
  [2] https://docs.python.org/2/library/ssl.html#socket-creation
+ [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51

** Also affects: python-eventlet (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1904988

Title:
  set defaults to be sslv23 not tlsv1

Status in python-eventlet package in Ubuntu:
  New
Status in python-eventlet source package in Xenial:
  New

Bug description:
  python-eventlet=0.18.4-1ubuntu1 (xenial) is applying the d/p/set-
  defaults-to-be-tlsv1-not-sslv23.patch to set defaults to be tlsv1 not
  sslv23

  This will prevent xenial users from using tlsv1_1 and tlsv1_2, so I
  think we should set defaults to be sslv23 not tlsv1.

  python-eventlet=0.19.0-2 started to the same thing as well, but can
  xenial users also enjoy these benefits?

  BTW, xenial uses openssl=1.0.2g-1ubuntu4.17, so according to the page
  [2] after openssl 1.0.0 an SSLv23 client would not attempt SSLv2
  connections so it just brings tlsv1_0, tlsv1_1 and tlsv1_2, it's more
  convenient and safer than just having tlsv1_0. and the upstream is
  also using sslv23 as well [3].

  [1] https://launchpad.net/ubuntu/+source/python-eventlet/0.19.0-2
  [2] https://docs.python.org/2/library/ssl.html#socket-creation
  [3] https://github.com/eventlet/eventlet/blob/v0.18.4/eventlet/green/ssl.py#L51

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/1904988/+subscriptions