SSLv3 problem
Due to the poodle bug, SSLv3 is considered very insecure. Because I run an up-to-date sid here, I think I may have updated some library that has disabled SSLv3, and bitmask seems to be using it, because when I ran bitmask today, I got this traceback:
micah@muck:~$ bitmask --danger --debug Traceback (most recent call last): File "/usr/bin/bitmask", line 9, in load_entry_point('leap.bitmask==0.7.0rc4', 'console_scripts', 'bitmask')() File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 356, in load_entry_point return get_distribution(dist).load_entry_point(group, name) File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2476, in load_entry_point return ep.load() File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2190, in load ['__name__']) File "/usr/lib/python2.7/dist-packages/leap/bitmask/app.py", line 51, in from leap.bitmask.frontend_app import run_frontend File "/usr/lib/python2.7/dist-packages/leap/bitmask/frontend_app.py", line 30, in from leap.bitmask.gui.mainwindow import MainWindow File "/usr/lib/python2.7/dist-packages/leap/bitmask/gui/mainwindow.py", line 34, in from leap.bitmask.backend.leapbackend import ERROR_KEY, PASSED_KEY File "/usr/lib/python2.7/dist-packages/leap/bitmask/backend/leapbackend.py", line 25, in from leap.bitmask.backend import components File "/usr/lib/python2.7/dist-packages/leap/bitmask/backend/components.py", line 35, in from leap.bitmask.config.providerconfig import ProviderConfig File "/usr/lib/python2.7/dist-packages/leap/bitmask/config/providerconfig.py", line 27, in from leap.bitmask.services import get_service_display_name File "/usr/lib/python2.7/dist-packages/leap/bitmask/services/__init__.py", line 27, in from leap.bitmask.crypto.srpauth import SRPAuth File "/usr/lib/python2.7/dist-packages/leap/bitmask/crypto/srpauth.py", line 23, in import requests File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 68, in _attach_namespace(urllib3, 'requests.packages') File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 63, in _attach_namespace module = __import__(name) File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 73, in ssl.PROTOCOL_SSLv3: OpenSSL.SSL.SSLv3_METHOD, AttributeError: 'module' object has no attribute 'PROTOCOL_SSLv3'
I removed that line from line 73 of /usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py and then things worked again, but its puzzling to me why this method was even invoked. We should really make sure there is no SSLv3 involved in the client at all.
(from redmine: created on 2014-11-19, closed on 2014-11-25, relates #6391 (closed), relates #6434 (closed))