Big Switch: Switch to TLSv1 in server manager

Switch to TLSv1 for the connections to the backend controllers. The default SSLv3 is no longer considered secure. TLSv1 was chosen over .1 or .2 because the .1 and .2 weren't added until python 2.7.9 so TLSv1 is the only compatible option for py26. Closes-Bug: #1384487 Change-Id: I68bd72fc4d90a102003d9ce48c47a4a6a3dd6e03 (cherry picked from commit 62588957fbeccfb4f80eaa72bef2b86b6f08dcf8)
author: Kevin Benton <blak111@gmail.com> 2014-10-22 13:04:03 -0700
committer: Kevin Benton <blak111@gmail.com> 2014-10-22 15:01:19 -0700
commit: dd5728125f36b1f6e97893765905659184e66c0e (patch)
tree: 4e21a6cd9da9686c1deb75ab72e273dbda35ad7f
parent: 830142e6923ff5fa8303afc22b0b61c39a374fe8 (diff)
download: neutron-dd5728125f36b1f6e97893765905659184e66c0e.tar.gz
2 files changed, 11 insertions, 7 deletions
diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py
index 0a86ff4374..5adb02d5a6 100644
--- a/neutron/plugins/bigswitch/servermanager.py
+++ b/neutron/plugins/bigswitch/servermanager.py
@@ -637,8 +637,9 @@ class HTTPSConnectionWithValidation(httplib.HTTPSConnection):
         if self.combined_cert:
             self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
                                         cert_reqs=ssl.CERT_REQUIRED,
-                                        ca_certs=self.combined_cert)
+                                        ca_certs=self.combined_cert,
+                                        ssl_version=ssl.PROTOCOL_TLSv1)
         else:
-            self.sock = ssl.wrap_socket(sock, self.key_file,
-                                        self.cert_file,
-                                        cert_reqs=ssl.CERT_NONE)
+            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
+                                        cert_reqs=ssl.CERT_NONE,
+                                        ssl_version=ssl.PROTOCOL_TLSv1)
diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py
index 43723fe8f9..efab0c41ed 100644
--- a/neutron/tests/unit/bigswitch/test_servermanager.py
+++ b/neutron/tests/unit/bigswitch/test_servermanager.py
@@ -465,7 +465,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
             ('www.example.org', 443), 90, '127.0.0.1'
         )])
         self.wrap_mock.assert_has_calls([mock.call(
-            self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE
+            self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE,
+            ssl_version=ssl.PROTOCOL_TLSv1
         )])
         self.assertEqual(con.sock, self.wrap_mock())
 
@@ -480,7 +481,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
         )])
         self.wrap_mock.assert_has_calls([mock.call(
             self.socket_mock(), None, None, ca_certs='SOMECERTS.pem',
-            cert_reqs=ssl.CERT_REQUIRED
+            cert_reqs=ssl.CERT_REQUIRED,
+            ssl_version=ssl.PROTOCOL_TLSv1
         )])
         self.assertEqual(con.sock, self.wrap_mock())
 
@@ -500,7 +502,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
             ('www.example.org', 443), 90, '127.0.0.1'
         )])
         self.wrap_mock.assert_has_calls([mock.call(
-            self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE
+            self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE,
+            ssl_version=ssl.PROTOCOL_TLSv1
         )])
         # _tunnel() doesn't take any args
         tunnel_mock.assert_has_calls([mock.call()])
author	Kevin Benton <blak111@gmail.com>	2014-10-22 13:04:03 -0700
committer	Kevin Benton <blak111@gmail.com>	2014-10-22 15:01:19 -0700
commit	dd5728125f36b1f6e97893765905659184e66c0e (patch)
tree	4e21a6cd9da9686c1deb75ab72e273dbda35ad7f
parent	830142e6923ff5fa8303afc22b0b61c39a374fe8 (diff)
download	neutron-dd5728125f36b1f6e97893765905659184e66c0e.tar.gz