[Bug 1411452] [NEW] python-openssl seems to used insecure ciphers by default (and sha2 certificates break)

Michael S. Moody 1411452 at bugs.launchpad.net
Thu Jan 15 23:10:28 UTC 2015 

Public bug reported:

Description:	Ubuntu 12.04.1 LTS
Release:	12.04

python-openssl:
  Installed: 0.12-1ubuntu2.1
  Candidate: 0.12-1ubuntu2.1
  Version table:
 *** 0.12-1ubuntu2.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     0.12-1ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

We use 12.04 and Openstack with NoVNC. NoVNC recently broke when we
updated our SSL certificates to sha256 from sha1 (the only change).
Doing some testing:

#!/usr/bin/env python

import ssl
import socket
listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
listen_sock.bind(('', 8675))
listen_sock.listen(1)
conn_sock, _addr = listen_sock.accept()
ssl_sock = ssl.wrap_socket(conn_sock, keyfile='/etc/apache2/ssl/yyy.yyyyy.com.key', certfile='/etc/apache2/ssl/yyy.yyyyy.com.crt', server_side=True)

^^ This breaks.

#!/usr/bin/env python

import ssl
import socket
listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
listen_sock.bind(('', 8675))
listen_sock.listen(1)
conn_sock, _addr = listen_sock.accept()
ciphers = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
ssl_sock = ssl.wrap_socket(conn_sock, keyfile='/etc/apache2/ssl/yyy.yyyyy.com.key', certfile='/etc/apache2/ssl/yyy.yyyyy.com.crt', server_side=True, ciphers=ciphers)

^^ This works.

The problem is not isolated to NoVNC (by any means). The python install
by default doesn't seem to want to support sha256 SSL certificates
without defining the ciphers. Additionally, python seems to degrade to
almost the worst possible (and most vulnerable) SSL cipher suite
selection unless specifically defined.

Can this be fixed for 12.04 LTS? (Also, feel free to smack me down if
I'm wrong somehow, I'm severely sleep deprived this week).

** Affects: pyopenssl (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pyopenssl in Ubuntu.
https://bugs.launchpad.net/bugs/1411452

Title:
  python-openssl seems to used insecure ciphers by default (and sha2
  certificates break)

Status in pyopenssl package in Ubuntu:
  New

Bug description:
  Description:	Ubuntu 12.04.1 LTS
  Release:	12.04

  python-openssl:
    Installed: 0.12-1ubuntu2.1
    Candidate: 0.12-1ubuntu2.1
    Version table:
   *** 0.12-1ubuntu2.1 0
          500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
          100 /var/lib/dpkg/status
       0.12-1ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

  We use 12.04 and Openstack with NoVNC. NoVNC recently broke when we
  updated our SSL certificates to sha256 from sha1 (the only change).
  Doing some testing:

  #!/usr/bin/env python

  import ssl
  import socket
  listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  listen_sock.bind(('', 8675))
  listen_sock.listen(1)
  conn_sock, _addr = listen_sock.accept()
  ssl_sock = ssl.wrap_socket(conn_sock, keyfile='/etc/apache2/ssl/yyy.yyyyy.com.key', certfile='/etc/apache2/ssl/yyy.yyyyy.com.crt', server_side=True)

  ^^ This breaks.

  #!/usr/bin/env python

  import ssl
  import socket
  listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  listen_sock.bind(('', 8675))
  listen_sock.listen(1)
  conn_sock, _addr = listen_sock.accept()
  ciphers = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
  ssl_sock = ssl.wrap_socket(conn_sock, keyfile='/etc/apache2/ssl/yyy.yyyyy.com.key', certfile='/etc/apache2/ssl/yyy.yyyyy.com.crt', server_side=True, ciphers=ciphers)

  ^^ This works.

  The problem is not isolated to NoVNC (by any means). The python
  install by default doesn't seem to want to support sha256 SSL
  certificates without defining the ciphers. Additionally, python seems
  to degrade to almost the worst possible (and most vulnerable) SSL
  cipher suite selection unless specifically defined.

  Can this be fixed for 12.04 LTS? (Also, feel free to smack me down if
  I'm wrong somehow, I'm severely sleep deprived this week).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pyopenssl/+bug/1411452/+subscriptions

More information about the foundations-bugs mailing list