Big Switch: Fix SSL version on get_server_cert
The ssl.get_server_certificate method uses SSLv3 by default. Support for SSLv3 was dropped on the backend controller in response to the POODLE vulnerability. This patch fixes it to use TLSv1 like the wrap_socket method. Closes-Bug: #1384487 Change-Id: I9cb5f219d327d62168bef2d7dbee22534b2e454e
This commit is contained in:
Kevin Benton
parent
1d5f15437a
commit
77e283c94f
|
|
@ -383,7 +383,8 @@ class ServerPool(object):
|
|||
a given path.
|
||||
'''
|
||||
try:
|
||||
cert = ssl.get_server_certificate((server, port))
|
||||
cert = ssl.get_server_certificate((server, port),
|
||||
ssl_version=ssl.PROTOCOL_TLSv1)
|
||||
except Exception as e:
|
||||
raise cfg.Error(_('Could not retrieve initial '
|
||||
'certificate from controller %(server)s. '
|
||||
|
|
|
|||
|
|
@ -71,7 +71,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
|
|||
pl.servers._get_combined_cert_for_server,
|
||||
*('example.org', 443)
|
||||
)
|
||||
sslgetmock.assert_has_calls([mock.call(('example.org', 443))])
|
||||
sslgetmock.assert_has_calls([mock.call(
|
||||
('example.org', 443), ssl_version=ssl.PROTOCOL_TLSv1)])
|
||||
|
||||
def test_consistency_watchdog_stops_with_0_polling_interval(self):
|
||||
pl = manager.NeutronManager.get_plugin()
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@
|
|||
# under the License.
|
||||
import contextlib
|
||||
import os
|
||||
import ssl
|
||||
|
||||
import mock
|
||||
from oslo.config import cfg
|
||||
|
|
@ -106,7 +107,8 @@ class TestSslSticky(test_ssl_certificate_base):
|
|||
self.getcacerts_m.assert_has_calls([mock.call(self.ca_certs_path)])
|
||||
# cert should have been fetched via SSL lib
|
||||
self.sslgetcert_m.assert_has_calls(
|
||||
[mock.call((self.servername, 443))]
|
||||
[mock.call((self.servername, 443),
|
||||
ssl_version=ssl.PROTOCOL_TLSv1)]
|
||||
)
|
||||
|
||||
# cert should have been recorded
|
||||
|
|
|
|||
Loading…
Reference in New Issue