Public bug reported: Description: Ubuntu 12.04.1 LTS Release: 12.04
python-openssl: Installed: 0.12-1ubuntu2.1 Candidate: 0.12-1ubuntu2.1 Version table: *** 0.12-1ubuntu2.1 0 500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages 100 /var/lib/dpkg/status 0.12-1ubuntu2 0 500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages We use 12.04 and Openstack with NoVNC. NoVNC recently broke when we updated our SSL certificates to sha256 from sha1 (the only change). Doing some testing: #!/usr/bin/env python import ssl import socket listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) listen_sock.bind(('', 8675)) listen_sock.listen(1) conn_sock, _addr = listen_sock.accept() ssl_sock = ssl.wrap_socket(conn_sock, keyfile='/etc/apache2/ssl/yyy.yyyyy.com.key', certfile='/etc/apache2/ssl/yyy.yyyyy.com.crt', server_side=True) ^^ This breaks. #!/usr/bin/env python import ssl import socket listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) listen_sock.bind(('', 8675)) listen_sock.listen(1) conn_sock, _addr = listen_sock.accept() ciphers = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" ssl_sock = ssl.wrap_socket(conn_sock, keyfile='/etc/apache2/ssl/yyy.yyyyy.com.key', certfile='/etc/apache2/ssl/yyy.yyyyy.com.crt', server_side=True, ciphers=ciphers) ^^ This works. The problem is not isolated to NoVNC (by any means). The python install by default doesn't seem to want to support sha256 SSL certificates without defining the ciphers. Additionally, python seems to degrade to almost the worst possible (and most vulnerable) SSL cipher suite selection unless specifically defined. Can this be fixed for 12.04 LTS? (Also, feel free to smack me down if I'm wrong somehow, I'm severely sleep deprived this week). ** Affects: pyopenssl (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1411452 Title: python-openssl seems to used insecure ciphers by default (and sha2 certificates break) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pyopenssl/+bug/1411452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs