Explicitly remove support of SSLv2 #396
Conversation
|
|
stlaz
force-pushed
the
sslv2_explicitly_remove
branch
from
4980a7b
to
be99b83
Compare
ipalib/config.py
Outdated
| if self.tls_version_min not in TLS_VERSIONS: | ||
| raise errors.EnvironmentError( | ||
| "Unknown TLS version '{ver}' set in tls_version_min." | ||
| .format(self.tls_version_min)) |
There was a problem hiding this comment.
I think you meant tls_version_max.
ipapython/nsslib.py
Outdated
|
|
||
| if min_version_idx < min_allowed_idx: | ||
| min_version_idx = min_allowed_idx | ||
| root_logger.warning("tls_version_min set too low ('{old}')," |
There was a problem hiding this comment.
Please use a module-specific logger rather than the root logger:
from ipapython.ipa_log_manager import log_mgr
logger = log_mgr.get_logger(__name__)There was a problem hiding this comment.
Shall I replace all appearances of root_logger in the module, then?
ipapython/nsslib.py
Outdated
| min_version_idx = TLS_VERSIONS.index(tls_version_min) | ||
| except ValueError: | ||
| raise InvocationError("tls_version_min ('{val}') is not a known " | ||
| "TLS version.".format(val=tls_version_min)) |
There was a problem hiding this comment.
InvocationError is not right. I think RuntimeError should be OK. Or NetworkError if you want to use an IPA error.
stlaz
force-pushed
the
sslv2_explicitly_remove
branch
from
be99b83
to
db2b762
Compare
|
Did not realize merging to Env from default constants was happening in the end of |
stlaz
force-pushed
the
sslv2_explicitly_remove
branch
from
db2b762
to
c59b2ae
Compare
|
@stlaz, you don't have to replace |
stlaz
force-pushed
the
sslv2_explicitly_remove
branch
from
c59b2ae
to
2761cbf
Compare
|
Done. Also added a docstring to the |
stlaz
force-pushed
the
sslv2_explicitly_remove
branch
from
2761cbf
to
53aebe8
Compare
|
LGTM. |
stlaz
force-pushed
the
sslv2_explicitly_remove
branch
from
53aebe8
to
b5bea92
Compare
| max_version_idx = TLS_VERSIONS.index(tls_version_max) | ||
| except ValueError: | ||
| raise ValueError("tls_version_max ('{val}') is not a known " | ||
| "TLS version.".format(val=tls_version_max)) |
There was a problem hiding this comment.
Would it be possible to move try-except block to a separate function to avoid the copy-pasta for min and max version checks?
There was a problem hiding this comment.
max_version_idx = get_proper_tls_version(
max_version_idx, "max_version_idx", min_version_idx=min_version_idx)I would rather avoid such overkill.
| logger.warning("tls_version_max set too low ('{old}')," | ||
| "using '{new}' instead" | ||
| .format(old=tls_version_max, | ||
| new=TLS_VERSIONS[max_version_idx])) |
There was a problem hiding this comment.
Same as above - would it be possible to use a function to avoid copy-pasta?
ipapython/nsslib.py
Outdated
| :param tls_version_max: | ||
| the higher value in the TLS min-max span, raised to tls_version_min | ||
| if lower than TLS_VERSION_MINIMAL | ||
| """ |
There was a problem hiding this comment.
Please add :raises: to docstring.
|
Please update the commit title and description to make it clear that it also removes support of SSLv3. |
It was possible to set tls_version_min/max to 'ssl2' or 'ssl3', even though newer versions of NSS will fail to set this as a valid TLS version. This patch explicitly checks for deprecated TLS versions prior to creating a TLS connection. Also, we don't allow tls_version_min/max to be set to a random string anymore. https://fedorahosted.org/freeipa/ticket/6607
stlaz
force-pushed
the
sslv2_explicitly_remove
branch
from
b5bea92
to
661ed55
Compare
| max_version_idx = TLS_VERSIONS.index(tls_version_max) | ||
| except ValueError: | ||
| raise ValueError("tls_version_max ('{val}') is not a known " | ||
| "TLS version.".format(val=tls_version_max)) |
|
Fixed upstream |
It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.
https://fedorahosted.org/freeipa/ticket/6607