[jira] [Updated] (QPID-6166) [python] Disable SSLv3 support in pure-python client
[ https://issues.apache.org/jira/browse/QPID-6166?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Ross updated QPID-6166: -- Fix Version/s: (was: qpid-python-1.36.0) qpid-python-1.37.0 > [python] Disable SSLv3 support in pure-python client > > > Key: QPID-6166 > URL: https://issues.apache.org/jira/browse/QPID-6166 > Project: Qpid > Issue Type: Bug > Components: Python Client >Affects Versions: 0.30 >Reporter: Ken Giusti >Assignee: Ken Giusti > Fix For: qpid-python-1.37.0 > > > In light of the padding vulnerability of SSLv3, we should prevent the python > client from allowing the SSL handshake to downgrade to SSLv3. > Unfortunately, the latest release of python 2.7.8 does not give us the > ability to disable just the SSLv3 capability. The next release of python > (2.7.9) should allow this according to the documentation: > https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv3 > This vulnerability can be disabled merely by eliminating support for SSLv3 on > one end of the connection. Given that QPID-6160 will disable SSLv3 on the > broker, simply fixing this on the broker side will mitigate the issue. So > until the next version of Python is made available, we should recommend > QPID-6160 be adopted as the fix to this problem. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-6166) [python] Disable SSLv3 support in pure-python client
[ https://issues.apache.org/jira/browse/QPID-6166?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Ross updated QPID-6166: -- Fix Version/s: (was: Future) qpid-python-1.36.0 > [python] Disable SSLv3 support in pure-python client > > > Key: QPID-6166 > URL: https://issues.apache.org/jira/browse/QPID-6166 > Project: Qpid > Issue Type: Bug > Components: Python Client >Affects Versions: 0.30 >Reporter: Ken Giusti >Assignee: Ken Giusti > Fix For: qpid-python-1.36.0 > > > In light of the padding vulnerability of SSLv3, we should prevent the python > client from allowing the SSL handshake to downgrade to SSLv3. > Unfortunately, the latest release of python 2.7.8 does not give us the > ability to disable just the SSLv3 capability. The next release of python > (2.7.9) should allow this according to the documentation: > https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv3 > This vulnerability can be disabled merely by eliminating support for SSLv3 on > one end of the connection. Given that QPID-6160 will disable SSLv3 on the > broker, simply fixing this on the broker side will mitigate the issue. So > until the next version of Python is made available, we should recommend > QPID-6160 be adopted as the fix to this problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
