Freeze Break: SSLv3
Kevin Fenzi
kevin at scrye.com
Wed Oct 15 14:03:32 UTC 2014
On Tue, 14 Oct 2014 23:06:08 -0700
"T.C. Hollingsworth" <tchollingsworth at gmail.com> wrote:
> On Tue, Oct 14, 2014 at 9:03 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> > Sadly, I didn't test auth connections, and they are broken.
> >
> > Seems koji hard codes SSLv3 as the one and only ssl method. ;(
> >
> > We will need to get a patch for koji before we can switch it over.
>
> I fixed connecting to a private instance with the attached patch. I
> was able to submit a scratch build to the Fedora koji with it applied
> too.
>
> Note that it only forces TLSv1 because pyOpenSSL in F20 doesn't seem
> to support TLSv1.1 or TLSv1.2. :-(
>
> -T.C.
Yeah, I attached pretty much an identical patch to:
https://bugzilla.redhat.com/show_bug.cgi?id=1152823
Dennis might have a patch he did a while back to just switch it to use
pycurl.
Sadly, since this is on the client end, we will have to:
* Build updates with whatever fix we need for all branches.
* Push them out and wait for them to get into the hands of maintainers.
* Cut things over to disallow SSLv3 (breaking all people who didn't
upgrade).
Perhaps we can figure out a way to keep SSLv3 enabled, but disable
ciphers that are susceptable?
:(
kevin
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20141015/e1293aa2/attachment.sig>
More information about the infrastructure
mailing list