diff options
author | Kevin Benton <blak111@gmail.com> | 2014-10-22 13:04:03 -0700 |
---|---|---|
committer | Kevin Benton <blak111@gmail.com> | 2014-10-22 14:53:53 -0700 |
commit | 62588957fbeccfb4f80eaa72bef2b86b6f08dcf8 (patch) | |
tree | db4089e689059b03a3de837afc8ce8f84e523a3b | |
parent | c6f24b55e3ece33663083d99a716072ad2ad875a (diff) | |
download | neutron-62588957fbeccfb4f80eaa72bef2b86b6f08dcf8.tar.gz |
Big Switch: Switch to TLSv1 in server manager
Switch to TLSv1 for the connections to the backend
controllers. The default SSLv3 is no longer considered
secure.
TLSv1 was chosen over .1 or .2 because the .1 and .2 weren't
added until python 2.7.9 so TLSv1 is the only compatible option
for py26.
Closes-Bug: #1384487
Change-Id: I68bd72fc4d90a102003d9ce48c47a4a6a3dd6e03
-rw-r--r-- | neutron/plugins/bigswitch/servermanager.py | 9 | ||||
-rw-r--r-- | neutron/tests/unit/bigswitch/test_servermanager.py | 9 |
2 files changed, 11 insertions, 7 deletions
diff --git a/neutron/plugins/bigswitch/servermanager.py b/neutron/plugins/bigswitch/servermanager.py index 0a86ff4374..5adb02d5a6 100644 --- a/neutron/plugins/bigswitch/servermanager.py +++ b/neutron/plugins/bigswitch/servermanager.py @@ -637,8 +637,9 @@ class HTTPSConnectionWithValidation(httplib.HTTPSConnection): if self.combined_cert: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, cert_reqs=ssl.CERT_REQUIRED, - ca_certs=self.combined_cert) + ca_certs=self.combined_cert, + ssl_version=ssl.PROTOCOL_TLSv1) else: - self.sock = ssl.wrap_socket(sock, self.key_file, - self.cert_file, - cert_reqs=ssl.CERT_NONE) + self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, + cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1) diff --git a/neutron/tests/unit/bigswitch/test_servermanager.py b/neutron/tests/unit/bigswitch/test_servermanager.py index 43723fe8f9..efab0c41ed 100644 --- a/neutron/tests/unit/bigswitch/test_servermanager.py +++ b/neutron/tests/unit/bigswitch/test_servermanager.py @@ -465,7 +465,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): ('www.example.org', 443), 90, '127.0.0.1' )]) self.wrap_mock.assert_has_calls([mock.call( - self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE + self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1 )]) self.assertEqual(con.sock, self.wrap_mock()) @@ -480,7 +481,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): )]) self.wrap_mock.assert_has_calls([mock.call( self.socket_mock(), None, None, ca_certs='SOMECERTS.pem', - cert_reqs=ssl.CERT_REQUIRED + cert_reqs=ssl.CERT_REQUIRED, + ssl_version=ssl.PROTOCOL_TLSv1 )]) self.assertEqual(con.sock, self.wrap_mock()) @@ -500,7 +502,8 @@ class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase): ('www.example.org', 443), 90, '127.0.0.1' )]) self.wrap_mock.assert_has_calls([mock.call( - self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE + self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE, + ssl_version=ssl.PROTOCOL_TLSv1 )]) # _tunnel() doesn't take any args tunnel_mock.assert_has_calls([mock.call()]) |