Big Switch: Switch to TLSv1 in server manager

Switch to TLSv1 for the connections to the backend controllers. The default SSLv3 is no longer considered secure. TLSv1 was chosen over .1 or .2 because the .1 and .2 weren't added until python 2.7.9 so TLSv1 is the only compatible option for py26. Closes-Bug: #1384487 Change-Id: I68bd72fc4d90a102003d9ce48c47a4a6a3dd6e03
author: Kevin Benton <blak111@gmail.com> 2014-10-22 13:04:03 -0700
committer: Kevin Benton <blak111@gmail.com> 2014-10-22 14:53:53 -0700
commit: 62588957fbeccfb4f80eaa72bef2b86b6f08dcf8 (patch)
tree: db4089e689059b03a3de837afc8ce8f84e523a3b
parent: c6f24b55e3ece33663083d99a716072ad2ad875a (diff)
download: neutron-62588957fbeccfb4f80eaa72bef2b86b6f08dcf8.tar.gz
2 files changed, 11 insertions, 7 deletions
diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py
index 0a86ff4374..5adb02d5a6 100644
--- a/neutron/plugins/bigswitch/servermanager.py
+++ b/neutron/plugins/bigswitch/servermanager.py
@@ -637,8 +637,9 @@ class HTTPSConnectionWithValidation(httplib.HTTPSConnection):
         if self.combined_cert:
             self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
                                         cert_reqs=ssl.CERT_REQUIRED,
-                                        ca_certs=self.combined_cert)
+                                        ca_certs=self.combined_cert,
+                                        ssl_version=ssl.PROTOCOL_TLSv1)
         else:
-            self.sock = ssl.wrap_socket(sock, self.key_file,
-                                        self.cert_file,
-                                        cert_reqs=ssl.CERT_NONE)
+            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file,
+                                        cert_reqs=ssl.CERT_NONE,
+                                        ssl_version=ssl.PROTOCOL_TLSv1)
diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py
index 43723fe8f9..efab0c41ed 100644
--- a/neutron/tests/unit/bigswitch/test_servermanager.py
+++ b/neutron/tests/unit/bigswitch/test_servermanager.py
@@ -465,7 +465,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
             ('www.example.org', 443), 90, '127.0.0.1'
         )])
         self.wrap_mock.assert_has_calls([mock.call(
-            self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE
+            self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE,
+            ssl_version=ssl.PROTOCOL_TLSv1
         )])
         self.assertEqual(con.sock, self.wrap_mock())
 
@@ -480,7 +481,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
         )])
         self.wrap_mock.assert_has_calls([mock.call(
             self.socket_mock(), None, None, ca_certs='SOMECERTS.pem',
-            cert_reqs=ssl.CERT_REQUIRED
+            cert_reqs=ssl.CERT_REQUIRED,
+            ssl_version=ssl.PROTOCOL_TLSv1
         )])
         self.assertEqual(con.sock, self.wrap_mock())
 
@@ -500,7 +502,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
             ('www.example.org', 443), 90, '127.0.0.1'
         )])
         self.wrap_mock.assert_has_calls([mock.call(
-            self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE
+            self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE,
+            ssl_version=ssl.PROTOCOL_TLSv1
         )])
         # _tunnel() doesn't take any args
         tunnel_mock.assert_has_calls([mock.call()])
author	Kevin Benton <blak111@gmail.com>	2014-10-22 13:04:03 -0700
committer	Kevin Benton <blak111@gmail.com>	2014-10-22 14:53:53 -0700
commit	62588957fbeccfb4f80eaa72bef2b86b6f08dcf8 (patch)
tree	db4089e689059b03a3de837afc8ce8f84e523a3b
parent	c6f24b55e3ece33663083d99a716072ad2ad875a (diff)
download	neutron-62588957fbeccfb4f80eaa72bef2b86b6f08dcf8.tar.gz