Ken Giusti created QPID-6166:
--------------------------------
Summary: [python] Disable SSLv3 support in pure-python client
Key: QPID-6166
URL: https://issues.apache.org/jira/browse/QPID-6166
Project: Qpid
Issue Type: Bug
Components: Python Client
Affects Versions: 0.30
Reporter: Ken Giusti
Assignee: Ken Giusti
Fix For: Future
In light of the padding vulnerability of SSLv3, we should prevent the python
client from allowing the SSL handshake to downgrade to SSLv3.
Unfortunately, the latest release of python 2.7.8 does not give us the ability
to disable just the SSLv3 capability. The next release of python (2.7.9)
should allow this according to the documentation:
https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv3
This vulnerability can be disabled merely by eliminating support for SSLv3 on
one end of the connection. Given that QPID-6160 will disable SSLv3 on the
broker, simply fixing this on the broker side will mitigate the issue. So
until the next version of Python is made available, we should recommend
QPID-6160 be adopted as the fix to this problem.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
