x/vmware-nsx
Code Issues Proposed changes

Big Switch: Fix SSL version on get_server_cert

Browse Source 
The ssl.get_server_certificate method uses SSLv3 by default.
Support for SSLv3 was dropped on the backend controller in
response to the POODLE vulnerability. This patch fixes it
to use TLSv1 like the wrap_socket method.

Closes-Bug: #1384487
Change-Id: I9cb5f219d327d62168bef2d7dbee22534b2e454e
This commit is contained in:
Kevin Benton 2014-10-28 21:39:04 -07:00
parent 9e1f4ae5d7
commit b760d620ca
3 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
neutron/plugins/bigswitch/servermanager.py
View File

@ -383,7 +383,8 @@ class ServerPool(object):
a given path.
'''
try:
cert = ssl.get_server_certificate((server, port))
cert = ssl.get_server_certificate((server, port),
ssl_version=ssl.PROTOCOL_TLSv1)
except Exception as e:
raise cfg.Error(_('Could not retrieve initial '
'certificate from controller %(server)s. '

3
neutron/tests/unit/bigswitch/test_servermanager.py
View File

@ -71,7 +71,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
pl.servers._get_combined_cert_for_server,
*('example.org', 443)
)
sslgetmock.assert_has_calls([mock.call(('example.org', 443))])
sslgetmock.assert_has_calls([mock.call(
('example.org', 443), ssl_version=ssl.PROTOCOL_TLSv1)])
def test_consistency_watchdog_stops_with_0_polling_interval(self):
pl = manager.NeutronManager.get_plugin()

4
neutron/tests/unit/bigswitch/test_ssl.py
View File

@ -13,6 +13,7 @@
# under the License.
import contextlib
import os
import ssl
import mock
from oslo.config import cfg
@ -106,7 +107,8 @@ class TestSslSticky(test_ssl_certificate_base):
self.getcacerts_m.assert_has_calls([mock.call(self.ca_certs_path)])
# cert should have been fetched via SSL lib
self.sslgetcert_m.assert_has_calls(
[mock.call((self.servername, 443))]
[mock.call((self.servername, 443),
ssl_version=ssl.PROTOCOL_TLSv1)]
)
# cert should have been recorded