From dd5728125f36b1f6e97893765905659184e66c0e Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Wed, 22 Oct 2014 13:04:03 -0700 Subject: [PATCH] Big Switch: Switch to TLSv1 in server manager Switch to TLSv1 for the connections to the backend controllers. The default SSLv3 is no longer considered secure. TLSv1 was chosen over .1 or .2 because the .1 and .2 weren't added until python 2.7.9 so TLSv1 is the only compatible option for py26. Closes-Bug: #1384487 Change-Id: I68bd72fc4d90a102003d9ce48c47a4a6a3dd6e03 (cherry picked from commit 62588957fbeccfb4f80eaa72bef2b86b6f08dcf8) --- neutron/plugins/bigswitch/servermanager.py | 9 +++++---- neutron/tests/unit/bigswitch/test_servermanager.py | 9 ++++++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py index 0a86ff437..5adb02d5a 100644 --- a/neutron/plugins/bigswitch/servermanager.py +++ b/neutron/plugins/bigswitch/servermanager.py @@ -637,8 +637,9 @@ class HTTPSConnectionWithValidation(httplib.HTTPSConnection): if self.combined_cert: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, cert_reqs=ssl.CERT_REQUIRED, - ca_certs=self.combined_cert) + ca_certs=self.combined_cert, + ssl_version=ssl.PROTOCOL_TLSv1) else: - self.sock = ssl.wrap_socket(sock, self.key_file, - self.cert_file, - cert_reqs=ssl.CERT_NONE) + self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, + cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1) diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py index 43723fe8f..efab0c41e 100644 --- a/neutron/tests/unit/bigswitch/test_servermanager.py +++ b/neutron/tests/unit/bigswitch/test_servermanager.py @@ -465,7 +465,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): ('www.example.org', 443), 90, '127.0.0.1' )]) self.wrap_mock.assert_has_calls([mock.call( - self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE + self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1 )]) self.assertEqual(con.sock, self.wrap_mock()) @@ -480,7 +481,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): )]) self.wrap_mock.assert_has_calls([mock.call( self.socket_mock(), None, None, ca_certs='SOMECERTS.pem', - cert_reqs=ssl.CERT_REQUIRED + cert_reqs=ssl.CERT_REQUIRED, + ssl_version=ssl.PROTOCOL_TLSv1 )]) self.assertEqual(con.sock, self.wrap_mock()) @@ -500,7 +502,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): ('www.example.org', 443), 90, '127.0.0.1' )]) self.wrap_mock.assert_has_calls([mock.call( - self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE + self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1 )]) # _tunnel() doesn't take any args tunnel_mock.assert_has_calls([mock.call()]) -- 2.45.2