yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1771773] [NEW] Ssl2/3 should not be used for secure VNC access

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andrey Volkov <avolkov@xxxxxxxxxxxx>
Date: Thu, 17 May 2018 09:00:24 -0000
Reply-to: Bug 1771773 <1771773@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

This report is based on Bandit scanner results.

On
https://git.openstack.org/cgit/openstack/nova/tree/nova/console/rfb/authvencrypt.py?h=refs/heads/master#n137

137 wrapped_sock = ssl.wrap_socket(

wrap_socket is used without ssl_version that means SSLv23 by default.
As server part (QEMU) is based on gnutls supporting all modern TLS versions
it is possible to use stricter tls version on the client (TLSv1.2).
Another option is to make this param configurable.

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1771773

Title:
  Ssl2/3 should not be used for secure VNC access

Status in OpenStack Compute (nova):
  New

Bug description:
  This report is based on Bandit scanner results.

  On
  https://git.openstack.org/cgit/openstack/nova/tree/nova/console/rfb/authvencrypt.py?h=refs/heads/master#n137

  137 wrapped_sock = ssl.wrap_socket(

  wrap_socket is used without ssl_version that means SSLv23 by default.
  As server part (QEMU) is based on gnutls supporting all modern TLS versions
  it is possible to use stricter tls version on the client (TLSv1.2).
  Another option is to make this param configurable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1771773/+subscriptions

Follow ups

[Bug 1771773] Re: Ssl2/3 should not be used for secure VNC access
From: Daniel Berrange, 2018-08-10
[Bug 1771773] Re: Ssl2/3 should not be used for secure VNC access
From: melanie witt, 2018-08-09