diff options
author | Kevin Benton <blak111@gmail.com> | 2014-10-28 21:39:04 -0700 |
---|---|---|
committer | Kevin Benton <kevinbenton@buttewifi.com> | 2014-10-30 08:08:42 +0000 |
commit | 0be0dabf0e221b142e675348a294af89575ce6d0 (patch) | |
tree | 7d76dff9c44208f6c2022859e597068aae02a3c6 | |
parent | 6e0597b2083a9355d7d8e88fa07df1e863502676 (diff) | |
download | neutron-0be0dabf0e221b142e675348a294af89575ce6d0.tar.gz |
Big Switch: Fix SSL version on get_server_cert
The ssl.get_server_certificate method uses SSLv3 by default.
Support for SSLv3 was dropped on the backend controller in
response to the POODLE vulnerability. This patch fixes it
to use TLSv1 like the wrap_socket method.
Closes-Bug: #1384487
Change-Id: I9cb5f219d327d62168bef2d7dbee22534b2e454e
(cherry picked from commit 77e283c94f51e21dcf126a316098c54a7cdfca0f)
-rw-r--r-- | neutron/plugins/bigswitch/servermanager.py | 3 | ||||
-rw-r--r-- | neutron/tests/unit/bigswitch/test_servermanager.py | 3 | ||||
-rw-r--r-- | neutron/tests/unit/bigswitch/test_ssl.py | 4 |
3 files changed, 7 insertions, 3 deletions
diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py index 5adb02d5a6..c10ce72bb5 100644 --- a/neutron/plugins/bigswitch/servermanager.py +++ b/neutron/plugins/bigswitch/servermanager.py @@ -383,7 +383,8 @@ class ServerPool(object): a given path. ''' try: - cert = ssl.get_server_certificate((server, port)) + cert = ssl.get_server_certificate((server, port), + ssl_version=ssl.PROTOCOL_TLSv1) except Exception as e: raise cfg.Error(_('Could not retrieve initial ' 'certificate from controller %(server)s. ' diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py index efab0c41ed..e8d15efa3b 100644 --- a/neutron/tests/unit/bigswitch/test_servermanager.py +++ b/neutron/tests/unit/bigswitch/test_servermanager.py @@ -71,7 +71,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): pl.servers._get_combined_cert_for_server, *('example.org', 443) ) - sslgetmock.assert_has_calls([mock.call(('example.org', 443))]) + sslgetmock.assert_has_calls([mock.call( + ('example.org', 443), ssl_version=ssl.PROTOCOL_TLSv1)]) def test_consistency_watchdog_stops_with_0_polling_interval(self): pl = manager.NeutronManager.get_plugin() diff --git a/neutron/tests/unit/bigswitch/test_ssl.py b/neutron/tests/unit/bigswitch/test_ssl.py index 6a30744236..f921a4165e 100644 --- a/neutron/tests/unit/bigswitch/test_ssl.py +++ b/neutron/tests/unit/bigswitch/test_ssl.py @@ -13,6 +13,7 @@ # under the License. import contextlib import os +import ssl import mock from oslo.config import cfg @@ -106,7 +107,8 @@ class TestSslSticky(test_ssl_certificate_base): self.getcacerts_m.assert_has_calls([mock.call(self.ca_certs_path)]) # cert should have been fetched via SSL lib self.sslgetcert_m.assert_has_calls( - [mock.call((self.servername, 443))] + [mock.call((self.servername, 443), + ssl_version=ssl.PROTOCOL_TLSv1)] ) # cert should have been recorded |