yahoo-eng-team team mailing list archive

[melanie witt <1771773@xxxxxxxxxxxxxxxxxx>]

I'm going to close out this bug based on input from Daniel Berrange from
the patch review:

"IMHO hardcoding a specific TLS version is pretty undesirable. There is
active work to enable TLS 1.3 in all crypto libraries in the very near
future, so we really want choice of version to be configurable, to avoid
having to make potentially bogus assumptions about which specific
versions are desired.

In Fedora there is a systemwide crypto policy which controls what
versions of TLS openssl uses in all apps. IIUC, the original code should
honour that global policy, so if the admin turned off TLS 1.0 / 1.1 in
global policy Nova would already be doing the right thing.  By
explicitly setting a version here, it overrides the system global
defaults. IOW if those defaults requested 1.3, this proposed change will
in fact cause a regression."

** Changed in: nova
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1771773

Title:
  Ssl2/3 should not be used for secure VNC access

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  This report is based on Bandit scanner results.

  On
  https://git.openstack.org/cgit/openstack/nova/tree/nova/console/rfb/authvencrypt.py?h=refs/heads/master#n137

  137 wrapped_sock = ssl.wrap_socket(

  wrap_socket is used without ssl_version that means SSLv23 by default.
  As server part (QEMU) is based on gnutls supporting all modern TLS versions
  it is possible to use stricter tls version on the client (TLSv1.2).
  Another option is to make this param configurable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1771773/+subscriptions