Big Switch: Fix SSL version on get_server_cert

The ssl.get_server_certificate method uses SSLv3 by default. Support for SSLv3 was dropped on the backend controller in response to the POODLE vulnerability. This patch fixes it to use TLSv1 like the wrap_socket method. Closes-Bug: #1384487 Change-Id: I9cb5f219d327d62168bef2d7dbee22534b2e454e (cherry picked from commit 77e283c94f51e21dcf126a316098c54a7cdfca0f)
author: Kevin Benton <blak111@gmail.com> 2014-10-28 21:39:04 -0700
committer: Kevin Benton <kevinbenton@buttewifi.com> 2014-10-30 08:08:42 +0000
commit: 0be0dabf0e221b142e675348a294af89575ce6d0 (patch)
tree: 7d76dff9c44208f6c2022859e597068aae02a3c6
parent: 6e0597b2083a9355d7d8e88fa07df1e863502676 (diff)
download: neutron-0be0dabf0e221b142e675348a294af89575ce6d0.tar.gz
3 files changed, 7 insertions, 3 deletions
diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py
index 5adb02d5a6..c10ce72bb5 100644
--- a/neutron/plugins/bigswitch/servermanager.py
+++ b/neutron/plugins/bigswitch/servermanager.py
@@ -383,7 +383,8 @@ class ServerPool(object):
         a given path.
         '''
         try:
-            cert = ssl.get_server_certificate((server, port))
+            cert = ssl.get_server_certificate((server, port),
+                                              ssl_version=ssl.PROTOCOL_TLSv1)
         except Exception as e:
             raise cfg.Error(_('Could not retrieve initial '
                               'certificate from controller %(server)s. '
diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py
index efab0c41ed..e8d15efa3b 100644
--- a/neutron/tests/unit/bigswitch/test_servermanager.py
+++ b/neutron/tests/unit/bigswitch/test_servermanager.py
@@ -71,7 +71,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
                 pl.servers._get_combined_cert_for_server,
                 *('example.org', 443)
             )
-            sslgetmock.assert_has_calls([mock.call(('example.org', 443))])
+            sslgetmock.assert_has_calls([mock.call(
+                  ('example.org', 443), ssl_version=ssl.PROTOCOL_TLSv1)])
 
     def test_consistency_watchdog_stops_with_0_polling_interval(self):
         pl = manager.NeutronManager.get_plugin()
diff --git a/neutron/tests/unit/bigswitch/test_ssl.py b/neutron/tests/unit/bigswitch/test_ssl.py
index 6a30744236..f921a4165e 100644
--- a/neutron/tests/unit/bigswitch/test_ssl.py
+++ b/neutron/tests/unit/bigswitch/test_ssl.py
@@ -13,6 +13,7 @@
 #    under the License.
 import contextlib
 import os
+import ssl
 
 import mock
 from oslo.config import cfg
@@ -106,7 +107,8 @@ class TestSslSticky(test_ssl_certificate_base):
             self.getcacerts_m.assert_has_calls([mock.call(self.ca_certs_path)])
             # cert should have been fetched via SSL lib
             self.sslgetcert_m.assert_has_calls(
-                [mock.call((self.servername, 443))]
+                [mock.call((self.servername, 443),
+                           ssl_version=ssl.PROTOCOL_TLSv1)]
             )
 
             # cert should have been recorded
author	Kevin Benton <blak111@gmail.com>	2014-10-28 21:39:04 -0700
committer	Kevin Benton <kevinbenton@buttewifi.com>	2014-10-30 08:08:42 +0000
commit	0be0dabf0e221b142e675348a294af89575ce6d0 (patch)
tree	7d76dff9c44208f6c2022859e597068aae02a3c6
parent	6e0597b2083a9355d7d8e88fa07df1e863502676 (diff)
download	neutron-0be0dabf0e221b142e675348a294af89575ce6d0.tar.gz