On Tue, Oct 14, 2014 at 9:03 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
> Sadly, I didn't test auth connections, and they are broken.
>
> Seems koji hard codes SSLv3 as the one and only ssl method. ;(
>
> We will need to get a patch for koji before we can switch it over.
I fixed connecting to a private instance with the attached patch. I
was able to submit a scratch build to the Fedora koji with it applied
too.
Note that it only forces TLSv1 because pyOpenSSL in F20 doesn't seem
to support TLSv1.1 or TLSv1.2. :-(
-T.C.
From ae14012eab8caeae1548a9246c63378cd052efe2 Mon Sep 17 00:00:00 2001
From: "T.C. Hollingsworth" <tchollingsworth@xxxxxxxxx>
Date: Tue, 14 Oct 2014 23:00:40 -0700
Subject: [PATCH] use TLSv1 and disable SSLv3 to avoid POODLE attacks
---
koji/ssl/SSLCommon.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/koji/ssl/SSLCommon.py b/koji/ssl/SSLCommon.py
index 1a3b3d6..b218a80 100644
--- a/koji/ssl/SSLCommon.py
+++ b/koji/ssl/SSLCommon.py
@@ -37,7 +37,7 @@ def CreateSSLContext(certs):
if f and not os.access(f, os.R_OK):
raise StandardError, "%s does not exist or is not readable" % f
- ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only
+ ctx = SSL.Context(SSL.TLSv1_METHOD) # TLSv1 only
ctx.use_certificate_file(key_and_cert)
ctx.use_privatekey_file(key_and_cert)
ctx.load_client_ca(ca_cert)
@@ -45,7 +45,7 @@ def CreateSSLContext(certs):
verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
ctx.set_verify(verify, our_verify)
ctx.set_verify_depth(10)
- ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+ ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3)
return ctx
--
1.9.3
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
