Ssl2/3 should not be used for secure VNC access
Bug #1771773 reported by
Andrey Volkov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Confirmed
|
Medium
|
melanie witt |
Bug Description
This report is based on Bandit scanner results.
137 wrapped_sock = ssl.wrap_socket(
wrap_socket is used without ssl_version that means SSLv23 by default.
As server part (QEMU) is based on gnutls supporting all modern TLS versions
it is possible to use stricter tls version on the client (TLSv1.2).
Another option is to make this param configurable.
So, it looks like what we need to do here is pass ssl_version= ssl.PROTOCOL_ TLSv1_2 [1] to wrap_socket [2] to fix this.
[1] https:/ /docs.python. org/2/library/ ssl.html# ssl.PROTOCOL_ TLSv1_2 /docs.python. org/2/library/ ssl.html# ssl.wrap_ socket
[2] https:/