From 77e283c94f51e21dcf126a316098c54a7cdfca0f Mon Sep 17 00:00:00 2001
From: Kevin Benton <blak111@gmail.com>
Date: Tue, 28 Oct 2014 21:39:04 -0700
Subject: [PATCH] Big Switch: Fix SSL version on get_server_cert

The ssl.get_server_certificate method uses SSLv3 by default.
Support for SSLv3 was dropped on the backend controller in
response to the POODLE vulnerability. This patch fixes it
to use TLSv1 like the wrap_socket method.

Closes-Bug: #1384487
Change-Id: I9cb5f219d327d62168bef2d7dbee22534b2e454e
---
 neutron/plugins/bigswitch/servermanager.py         | 3 ++-
 neutron/tests/unit/bigswitch/test_servermanager.py | 3 ++-
 neutron/tests/unit/bigswitch/test_ssl.py           | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py
index 5adb02d5a..c10ce72bb 100644
--- a/neutron/plugins/bigswitch/servermanager.py
+++ b/neutron/plugins/bigswitch/servermanager.py
@@ -383,7 +383,8 @@ class ServerPool(object):
         a given path.
         '''
         try:
-            cert = ssl.get_server_certificate((server, port))
+            cert = ssl.get_server_certificate((server, port),
+                                              ssl_version=ssl.PROTOCOL_TLSv1)
         except Exception as e:
             raise cfg.Error(_('Could not retrieve initial '
                               'certificate from controller %(server)s. '
diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py
index efab0c41e..e8d15efa3 100644
--- a/neutron/tests/unit/bigswitch/test_servermanager.py
+++ b/neutron/tests/unit/bigswitch/test_servermanager.py
@@ -71,7 +71,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
                 pl.servers._get_combined_cert_for_server,
                 *('example.org', 443)
             )
-            sslgetmock.assert_has_calls([mock.call(('example.org', 443))])
+            sslgetmock.assert_has_calls([mock.call(
+                  ('example.org', 443), ssl_version=ssl.PROTOCOL_TLSv1)])
 
     def test_consistency_watchdog_stops_with_0_polling_interval(self):
         pl = manager.NeutronManager.get_plugin()
diff --git a/neutron/tests/unit/bigswitch/test_ssl.py b/neutron/tests/unit/bigswitch/test_ssl.py
index 6a3074423..f921a4165 100644
--- a/neutron/tests/unit/bigswitch/test_ssl.py
+++ b/neutron/tests/unit/bigswitch/test_ssl.py
@@ -13,6 +13,7 @@
 #    under the License.
 import contextlib
 import os
+import ssl
 
 import mock
 from oslo.config import cfg
@@ -106,7 +107,8 @@ class TestSslSticky(test_ssl_certificate_base):
             self.getcacerts_m.assert_has_calls([mock.call(self.ca_certs_path)])
             # cert should have been fetched via SSL lib
             self.sslgetcert_m.assert_has_calls(
-                [mock.call((self.servername, 443))]
+                [mock.call((self.servername, 443),
+                           ssl_version=ssl.PROTOCOL_TLSv1)]
             )
 
             # cert should have been recorded
-- 
2.45.2