Big Switch: Fix SSL version on get_server_cert

The ssl.get_server_certificate method uses SSLv3 by default.
Support for SSLv3 was dropped on the backend controller in
response to the POODLE vulnerability. This patch fixes it
to use TLSv1 like the wrap_socket method.

Closes-Bug: #1384487
Change-Id: I9cb5f219d327d62168bef2d7dbee22534b2e454e
(cherry picked from commit 77e283c94f51e21dcf126a316098c54a7cdfca0f)

diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py
index 5adb02d5a66958da4a7ed5f6160a76c336b273d6..c10ce72bb510804c714a6e340ef9bb3b535e137d 100644 (file)
--- a/neutron/plugins/bigswitch/servermanager.py
+++ b/neutron/plugins/bigswitch/servermanager.py
@@ -383,7 +383,8 @@ class ServerPool(object):
         a given path.
         '''
         try:
-            cert = ssl.get_server_certificate((server, port))
+            cert = ssl.get_server_certificate((server, port),
+                                              ssl_version=ssl.PROTOCOL_TLSv1)
         except Exception as e:
             raise cfg.Error(_('Could not retrieve initial '
                               'certificate from controller %(server)s. '

diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py
index efab0c41edeb5d5251cd1296a75191bac72e1ff8..e8d15efa3b3bd87a6533acae4a733a13d38c9416 100644 (file)
--- a/neutron/tests/unit/bigswitch/test_servermanager.py
+++ b/neutron/tests/unit/bigswitch/test_servermanager.py
@@ -71,7 +71,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
                 pl.servers._get_combined_cert_for_server,
                 *('example.org', 443)
             )
-            sslgetmock.assert_has_calls([mock.call(('example.org', 443))])
+            sslgetmock.assert_has_calls([mock.call(
+                  ('example.org', 443), ssl_version=ssl.PROTOCOL_TLSv1)])
 
     def test_consistency_watchdog_stops_with_0_polling_interval(self):
         pl = manager.NeutronManager.get_plugin()

diff --git a/neutron/tests/unit/bigswitch/test_ssl.py b/neutron/tests/unit/bigswitch/test_ssl.py
index 6a30744236ff249c1ecd35104c45227f5798e510..f921a4165ea2cc1b6446dd0ff39f1901e1cdae24 100644 (file)
--- a/neutron/tests/unit/bigswitch/test_ssl.py
+++ b/neutron/tests/unit/bigswitch/test_ssl.py
@@ -13,6 +13,7 @@
 #    under the License.
 import contextlib
 import os
+import ssl
 
 import mock
 from oslo.config import cfg
@@ -106,7 +107,8 @@ class TestSslSticky(test_ssl_certificate_base):
             self.getcacerts_m.assert_has_calls([mock.call(self.ca_certs_path)])
             # cert should have been fetched via SSL lib
             self.sslgetcert_m.assert_has_calls(
-                [mock.call((self.servername, 443))]
+                [mock.call((self.servername, 443),
+                           ssl_version=ssl.PROTOCOL_TLSv1)]
             )
 
             # cert should have been recorded