[OE-core] [daisy][PATCH] python: Building without SSLv3 support , The POODLE Bites Again
Sona Sarmadi
sona.sarmadi at enea.com
Tue Dec 9 14:38:53 UTC 2014
Hi Paul,
> I think we should apply the patch now anyway; we'll want to know that it
> works for backports to the stable branch(es), and in any case the upgrade to
> 2.7.9 is not going to be a straightforward task based upon my earlier attempt
> to upgrade to 2.7.6 (the current state of which is still in paule/python276-wip
> in poky-contrib).
>
> Cheers,
> Paul
>
I have applied this patch in master and have run some tests to verify that
Sslv3 is really disabled. It seems that SSLv3 still is enabled. I am running more tests to
find out why SSLv3 is not disabled and what more needs to be done.
SSLv2 is disabled already, if we manage to disable SSLV3 then I guess we need to disable SSLv23 as well ??!
root at p2020rdb:~# python
>>> import ssl
>>> print ssl.PROTOCOL_SSLv3
1
>>> print ssl.PROTOCOL_SSLv2
0
>>> print ssl.PROTOCOL_SSLv23
2
I think we should consider (start looking at upgrading to python 2.7.9 in master), to address this issue. I feel uncomfortable with this Debian patch. It seems that we need to do more manual changes in order to make this work. I will soon update the bug 7015 with my test results.
While testing this issue a new vulnerability was released yesterday :
Incorrect TLS padding may be accepted when terminating TLS 1.x CBC cipher connections. (CVE-2014-8730)
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
Cheers Sona
More information about the Openembedded-core
mailing list