Enforce secure SSL/TLS options in soledad client and server
The u1db code in the bundle is using code that uses SSLv3, this is known to be weak (poodle bug). It was patched in debian like follows:
Index: u1db/u1db/remote/http_client.py =================================================================== --- u1db.orig/u1db/remote/http_client.py 2013-10-08 10:11:25.000000000 -0400 +++ u1db/u1db/remote/http_client.py 2014-11-16 13:03:39.371785706 -0500 @@ -77,7 +77,7 @@ # XXX no cert verification implemented elsewhere for now cert_opts = {} self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, - ssl_version=ssl.PROTOCOL_SSLv3, + ssl_version=ssl.PROTOCOL_TLSv1, **cert_opts ) if cert_opts: Index: u1db/u1db/tests/test_https.py =================================================================== --- u1db.orig/u1db/tests/test_https.py 2013-10-08 10:11:25.000000000 -0400 +++ u1db/u1db/tests/test_https.py 2014-11-16 13:03:13.596487270 -0500 @@ -26,7 +26,7 @@ 'testing.cert') key_file = os.path.join(os.path.dirname(__file__), 'testing-certs', 'testing.key') - ssl_context = SSL.Context(SSL.SSLv23_METHOD) + ssl_context = SSL.Context(SSL.TLSv1_METHOD) ssl_context.use_privatekey_file(key_file) ssl_context.use_certificate_chain_file(cert_file) srv = httpserver.WSGIServerBase(application, host_port,
I noticed that this wasn't the case in the bundle... perhaps there are other places in the bundle where SSLv3 is and it should not be?
(from redmine: created on 2014-11-19, closed on 2016-07-26, relates #6392 (closed), relates #6435 (closed), relates #6437 (closed))