yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #74231
[Bug 1771773] Re: Ssl2/3 should not be used for secure VNC access
I'm going to close out this bug based on input from Daniel Berrange from
the patch review:
"IMHO hardcoding a specific TLS version is pretty undesirable. There is
active work to enable TLS 1.3 in all crypto libraries in the very near
future, so we really want choice of version to be configurable, to avoid
having to make potentially bogus assumptions about which specific
versions are desired.
In Fedora there is a systemwide crypto policy which controls what
versions of TLS openssl uses in all apps. IIUC, the original code should
honour that global policy, so if the admin turned off TLS 1.0 / 1.1 in
global policy Nova would already be doing the right thing. By
explicitly setting a version here, it overrides the system global
defaults. IOW if those defaults requested 1.3, this proposed change will
in fact cause a regression."
** Changed in: nova
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1771773
Title:
Ssl2/3 should not be used for secure VNC access
Status in OpenStack Compute (nova):
Invalid
Bug description:
This report is based on Bandit scanner results.
On
https://git.openstack.org/cgit/openstack/nova/tree/nova/console/rfb/authvencrypt.py?h=refs/heads/master#n137
137 wrapped_sock = ssl.wrap_socket(
wrap_socket is used without ssl_version that means SSLv23 by default.
As server part (QEMU) is based on gnutls supporting all modern TLS versions
it is possible to use stricter tls version on the client (TLSv1.2).
Another option is to make this param configurable.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1771773/+subscriptions
References