On Wed, Oct 15, 2014 at 11:31 AM, Fabian Arrotin fabian.arrotin@arrfab.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
As most of you already know, there is an important SSLv3 vulnerability (CVE-2014-3566 - see https://access.redhat.com/articles/1232123) , known as Poodle. While it's easy to disable SSLv3 in the allowed Protocols at the server level (for example SSLProtocol All -SSLv2 -SSLv3 for apache), some clients are still defaulting to SSLv3, and Koji does that.
We currently have disabled SSLv3 on our cbs.centos.org koji instance, so if you're a cbs/koji user, please adapt your local koji package (local fix !) At the moment, there is no available upstream package, but the following patch has been tested by Fedora people too (and credits go to https://lists.fedoraproject.org/pipermail/infrastructure/2014-October/014976...)
=====================================================
- --- SSLCommon.py.orig 2014-10-15 11:42:54.747082029 +0200
+++ SSLCommon.py 2014-10-15 11:44:08.215257590 +0200 @@ -37,7 +37,8 @@ if f and not os.access(f, os.R_OK): raise StandardError, "%s does not exist or is not readable" % f
- ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only
- #ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only
- ctx = SSL.Context(SSL.TLSv1_METHOD) # TLSv1 only
ctx.use_certificate_file(key_and_cert) ctx.use_privatekey_file(key_and_cert) ctx.load_client_ca(ca_cert) @@ -45,7 +46,8 @@ verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT ctx.set_verify(verify, our_verify) ctx.set_verify_depth(10)
- ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
- #ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
- ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3)
return ctx
Just to remove nearly all thought required, do this:
* Download the attached patch (which was inlined above) to /tmp
* cd /usr/lib/python2.6/site-packages
* sudo patch -p1 < /tmp/centos6-koji-disable-sslv3.diff
-George