Juju Charms Collection
openstack-dashboard package

Disable SSLv3 and RC4 by default

Bug #1563331 reported by Bryan Quigley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-dashboard (Juju Charms Collection)
Fix Released
High
Unassigned
Juju Charms Collection 16.04

Bug Description

A default deployed (on 14.04) Openstack dashboard is vulnerable to both SSLv3 attacks and RC4. This affects all dashboards that run on 14.04.

IE support is generally not considered (especially below IE8), which means it's likely safe for us to disable SSLv3.
https://wiki.openstack.org/wiki/Horizon/BrowserSupport

RC4 looks ok too, as most people will not be going through network proxies to reach the dashboard:
https://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/

In both cases major websites will not be working for them if they use a web browser - and likely the dashboard won't be working correctly either.

Discussion about this taking place on ML here: https://lists.ubuntu.com/archives/juju/2016-March/006936.html

For example, see:
(must ignore warnings and mismatches to run) https://www.ssllabs.com/ssltest/analyze.html?d=16.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
https://16.35.213.162.lcy-02.canonistack.canonical.com/horizon

Tags: poodle
Revision history for this message
James Page (james-page) wrote :

This change has already been committed in the master branch:

 https://github.com/openstack/charm-openstack-dashboard/commit/106f418f13c073b1e7d4c57483f423d5f4d0dd10

Changed in openstack-dashboard (Juju Charms Collection):
status: New → Fix Committed
milestone: none → 16.04
importance: Undecided → High
James Page (james-page)
Changed in openstack-dashboard (Juju Charms Collection):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.