On 03:11 pm, solipsis at pitrou.net wrote: >On Wed, 24 Nov 2010 15:01:06 -0000 >exarkun at twistedmatrix.com wrote: >> > >> >If I believe the link above: >> > 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded >>and >> >uses OpenSSL's internal caching mechanism. Servers that are >> >multi-process and/or disable internal session caching are NOT >> >affected. 1D >> > >> >So, you just have to create a multithreaded TLS server which doesn't >> >disable server-side session caching (it is enabled by default >>according >> >to >>http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html >> >) >> >>Hm. The session cache is enabled by default, but nothing will ever >>use >>it unless the server specifies a session id using >>SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python >>doesn't expose these, so I don't think any Python SSL server can set >>them. > >Well, Python calls SSL_CTX_set_session_id_context() implicitly, >starting >from 3.2 (precisely so that the session cache gets used). The >"documentation" I've found about the "session id context" seems to >suggest that a process-wide constant is enough. Ah. Okay, then Python 3.2 would be vulnerable. Good thing it isn't released yet. ;) Jean-Paul
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4