From: Kevin Benton Date: Wed, 22 Oct 2014 20:04:03 +0000 (-0700) Subject: Big Switch: Switch to TLSv1 in server manager X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=dd5728125f36b1f6e97893765905659184e66c0e;p=openstack-build%2Fneutron-build.git Big Switch: Switch to TLSv1 in server manager Switch to TLSv1 for the connections to the backend controllers. The default SSLv3 is no longer considered secure. TLSv1 was chosen over .1 or .2 because the .1 and .2 weren't added until python 2.7.9 so TLSv1 is the only compatible option for py26. Closes-Bug: #1384487 Change-Id: I68bd72fc4d90a102003d9ce48c47a4a6a3dd6e03 (cherry picked from commit 62588957fbeccfb4f80eaa72bef2b86b6f08dcf8) --- diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py index 0a86ff437..5adb02d5a 100644 --- a/neutron/plugins/bigswitch/servermanager.py +++ b/neutron/plugins/bigswitch/servermanager.py @@ -637,8 +637,9 @@ class HTTPSConnectionWithValidation(httplib.HTTPSConnection): if self.combined_cert: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, cert_reqs=ssl.CERT_REQUIRED, - ca_certs=self.combined_cert) + ca_certs=self.combined_cert, + ssl_version=ssl.PROTOCOL_TLSv1) else: - self.sock = ssl.wrap_socket(sock, self.key_file, - self.cert_file, - cert_reqs=ssl.CERT_NONE) + self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, + cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1) diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py index 43723fe8f..efab0c41e 100644 --- a/neutron/tests/unit/bigswitch/test_servermanager.py +++ b/neutron/tests/unit/bigswitch/test_servermanager.py @@ -465,7 +465,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): ('www.example.org', 443), 90, '127.0.0.1' )]) self.wrap_mock.assert_has_calls([mock.call( - self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE + self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1 )]) self.assertEqual(con.sock, self.wrap_mock()) @@ -480,7 +481,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): )]) self.wrap_mock.assert_has_calls([mock.call( self.socket_mock(), None, None, ca_certs='SOMECERTS.pem', - cert_reqs=ssl.CERT_REQUIRED + cert_reqs=ssl.CERT_REQUIRED, + ssl_version=ssl.PROTOCOL_TLSv1 )]) self.assertEqual(con.sock, self.wrap_mock()) @@ -500,7 +502,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): ('www.example.org', 443), 90, '127.0.0.1' )]) self.wrap_mock.assert_has_calls([mock.call( - self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE + self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1 )]) # _tunnel() doesn't take any args tunnel_mock.assert_has_calls([mock.call()])