On Wed, Oct 15, 2014 at 11:31 AM, Fabian Arrotin <fabian.arrotin at arrfab.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > As most of you already know, there is an important SSLv3 vulnerability > (CVE-2014-3566 - see https://access.redhat.com/articles/1232123) , > known as Poodle. > While it's easy to disable SSLv3 in the allowed Protocols at the > server level (for example SSLProtocol All -SSLv2 -SSLv3 for apache), > some clients are still defaulting to SSLv3, and Koji does that. > > We currently have disabled SSLv3 on our cbs.centos.org koji instance, > so if you're a cbs/koji user, please adapt your local koji package > (local fix !) > At the moment, there is no available upstream package, but the > following patch has been tested by Fedora people too (and credits go > to > https://lists.fedoraproject.org/pipermail/infrastructure/2014-October/014976.html) > > ===================================================== > - --- SSLCommon.py.orig 2014-10-15 11:42:54.747082029 +0200 > +++ SSLCommon.py 2014-10-15 11:44:08.215257590 +0200 > @@ -37,7 +37,8 @@ > if f and not os.access(f, os.R_OK): > raise StandardError, "%s does not exist or is not readable" % f > > - - ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only > + #ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only > + ctx = SSL.Context(SSL.TLSv1_METHOD) # TLSv1 only > ctx.use_certificate_file(key_and_cert) > ctx.use_privatekey_file(key_and_cert) > ctx.load_client_ca(ca_cert) > @@ -45,7 +46,8 @@ > verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT > ctx.set_verify(verify, our_verify) > ctx.set_verify_depth(10) > - - ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1) > + #ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1) > + ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3) > return ctx > ===================================================== Just to remove nearly all thought required, do this: * Download the attached patch (which was inlined above) to /tmp * cd /usr/lib/python2.6/site-packages * sudo patch -p1 < /tmp/centos6-koji-disable-sslv3.diff -George -------------- next part -------------- From ae14012eab8caeae1548a9246c63378cd052efe2 Mon Sep 17 00:00:00 2001 From: "T.C. Hollingsworth" <tchollingsworth at gmail.com> Date: Tue, 14 Oct 2014 23:00:40 -0700 Subject: [PATCH] use TLSv1 and disable SSLv3 to avoid POODLE attacks --- koji/ssl/SSLCommon.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koji/ssl/SSLCommon.py b/koji/ssl/SSLCommon.py index 1a3b3d6..b218a80 100644 --- a/koji/ssl/SSLCommon.py +++ b/koji/ssl/SSLCommon.py @@ -37,7 +37,7 @@ def CreateSSLContext(certs): if f and not os.access(f, os.R_OK): raise StandardError, "%s does not exist or is not readable" % f - ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only + ctx = SSL.Context(SSL.TLSv1_METHOD) # TLSv1 only ctx.use_certificate_file(key_and_cert) ctx.use_privatekey_file(key_and_cert) ctx.load_client_ca(ca_cert) @@ -45,7 +45,7 @@ def CreateSSLContext(certs): verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT ctx.set_verify(verify, our_verify) ctx.set_verify_depth(10) - ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1) + ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3) return ctx -- 1.9.3