[CentOS-announce] Koji/CBS infra and sslv3/Poodle important notification

Wed Oct 15 10:32:37 UTC 2014
Fabian Arrotin <arrfab at centos.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

As most of you already know, there is an important SSLv3 vulnerability
(CVE-2014-3566 - see https://access.redhat.com/articles/1232123) ,
known as Poodle.
While it's easy to disable SSLv3 in the allowed Protocols at the
server level (for example SSLProtocol All -SSLv2 -SSLv3 for apache),
some clients are still defaulting to SSLv3, and Koji does that.

We currently have disabled SSLv3 on our cbs.centos.org koji instance,
so if you're a cbs/koji user, please adapt your local koji package
(local fix !)
At the moment, there is no available upstream package, but the
following patch has been tested by Fedora people too (and credits go
to
https://lists.fedoraproject.org/pipermail/infrastructure/2014-October/014976.html)

=====================================================
- --- SSLCommon.py.orig	2014-10-15 11:42:54.747082029 +0200
+++ SSLCommon.py	2014-10-15 11:44:08.215257590 +0200
@@ -37,7 +37,8 @@
         if f and not os.access(f, os.R_OK):
             raise StandardError, "%s does not exist or is not
readable" % f

- -    ctx = SSL.Context(SSL.SSLv3_METHOD)   # SSLv3 only
+    #ctx = SSL.Context(SSL.SSLv3_METHOD)   # SSLv3 only
+    ctx = SSL.Context(SSL.TLSv1_METHOD)   # TLSv1 only
     ctx.use_certificate_file(key_and_cert)
     ctx.use_privatekey_file(key_and_cert)
     ctx.load_client_ca(ca_cert)
@@ -45,7 +46,8 @@
     verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
     ctx.set_verify(verify, our_verify)
     ctx.set_verify_depth(10)
- -    ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+    #ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+    ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3)
     return ctx
=====================================================

We'll keep you informed about possible upstream koji packages that
would default to at least TLSv1

If you encounter a problem, feel free to drop into #centos-devel
channel on irc.freenode.net and have a chat with us

on behalf of the Infra team,
- -- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlQ+TUUACgkQnVkHo1a+xU4JyQCfefp2h7yRdmljBqRc+M76jPTf
z7wAn3dOkaNPNfEnV0pxWDFX7BDDqKuY
=lxsg
-----END PGP SIGNATURE-----