Skip to content

SSLv3 problem

Due to the poodle bug, SSLv3 is considered very insecure. Because I run an up-to-date sid here, I think I may have updated some library that has disabled SSLv3, and bitmask seems to be using it, because when I ran bitmask today, I got this traceback:


micah@muck:~$ bitmask --danger --debug
Traceback (most recent call last):
  File "/usr/bin/bitmask", line 9, in 
    load_entry_point('leap.bitmask==0.7.0rc4', 'console_scripts', 'bitmask')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 356, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2476, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2190, in load
    ['__name__'])
  File "/usr/lib/python2.7/dist-packages/leap/bitmask/app.py", line 51, in 
    from leap.bitmask.frontend_app import run_frontend
  File "/usr/lib/python2.7/dist-packages/leap/bitmask/frontend_app.py", line 30, in 
    from leap.bitmask.gui.mainwindow import MainWindow
  File "/usr/lib/python2.7/dist-packages/leap/bitmask/gui/mainwindow.py", line 34, in 
    from leap.bitmask.backend.leapbackend import ERROR_KEY, PASSED_KEY
  File "/usr/lib/python2.7/dist-packages/leap/bitmask/backend/leapbackend.py", line 25, in 
    from leap.bitmask.backend import components
  File "/usr/lib/python2.7/dist-packages/leap/bitmask/backend/components.py", line 35, in 
    from leap.bitmask.config.providerconfig import ProviderConfig
  File "/usr/lib/python2.7/dist-packages/leap/bitmask/config/providerconfig.py", line 27, in 
    from leap.bitmask.services import get_service_display_name
  File "/usr/lib/python2.7/dist-packages/leap/bitmask/services/__init__.py", line 27, in 
    from leap.bitmask.crypto.srpauth import SRPAuth
  File "/usr/lib/python2.7/dist-packages/leap/bitmask/crypto/srpauth.py", line 23, in 
    import requests
  File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 68, in 
    _attach_namespace(urllib3, 'requests.packages')
  File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 63, in _attach_namespace
    module = __import__(name)
  File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 73, in 
    ssl.PROTOCOL_SSLv3: OpenSSL.SSL.SSLv3_METHOD,
AttributeError: 'module' object has no attribute 'PROTOCOL_SSLv3'

I removed that line from line 73 of /usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py and then things worked again, but its puzzling to me why this method was even invoked. We should really make sure there is no SSLv3 involved in the client at all.

(from redmine: created on 2014-11-19, closed on 2014-11-25, relates #6391 (closed), relates #6434 (closed))