[Bug 1411452] [NEW] python-openssl seems to used insecure ciphers by default (and sha2 certificates break)

Thu, 15 Jan 2015 15:21:06 -0800 

Public bug reported:

Description:    Ubuntu 12.04.1 LTS
Release:        12.04

python-openssl:
  Installed: 0.12-1ubuntu2.1
  Candidate: 0.12-1ubuntu2.1
  Version table:
 *** 0.12-1ubuntu2.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 
Packages
        100 /var/lib/dpkg/status
     0.12-1ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

We use 12.04 and Openstack with NoVNC. NoVNC recently broke when we
updated our SSL certificates to sha256 from sha1 (the only change).
Doing some testing:

#!/usr/bin/env python

import ssl
import socket
listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
listen_sock.bind(('', 8675))
listen_sock.listen(1)
conn_sock, _addr = listen_sock.accept()
ssl_sock = ssl.wrap_socket(conn_sock, 
keyfile='/etc/apache2/ssl/yyy.yyyyy.com.key', 
certfile='/etc/apache2/ssl/yyy.yyyyy.com.crt', server_side=True)

^^ This breaks.

#!/usr/bin/env python

import ssl
import socket
listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
listen_sock.bind(('', 8675))
listen_sock.listen(1)
conn_sock, _addr = listen_sock.accept()
ciphers = 
"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
ssl_sock = ssl.wrap_socket(conn_sock, 
keyfile='/etc/apache2/ssl/yyy.yyyyy.com.key', 
certfile='/etc/apache2/ssl/yyy.yyyyy.com.crt', server_side=True, 
ciphers=ciphers)

^^ This works.

The problem is not isolated to NoVNC (by any means). The python install
by default doesn't seem to want to support sha256 SSL certificates
without defining the ciphers. Additionally, python seems to degrade to
almost the worst possible (and most vulnerable) SSL cipher suite
selection unless specifically defined.

Can this be fixed for 12.04 LTS? (Also, feel free to smack me down if
I'm wrong somehow, I'm severely sleep deprived this week).

** Affects: pyopenssl (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1411452

Title:
  python-openssl seems to used insecure ciphers by default (and sha2
  certificates break)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pyopenssl/+bug/1411452/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to