Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2010-November/105969.html below:

[Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)

• Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Next message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08:02 am, solipsis at pitrou.net wrote:
>Le mardi 23 novembre 2010 à 20:56 -0500, Glyph Lefkowitz a écrit :
>>On Nov 23, 2010, at 9:02 AM, Antoine Pitrou wrote:
>>
>> > On Tue, 23 Nov 2010 00:07:09 -0500
>> > Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
>> >> On Mon, Nov 22, 2010 at 11:13 PM, Hirokazu Yamamoto <
>> >> ocean-city at m2.ccsnet.ne.jp> wrote:
>> >>
>> >>> Hello. Does this affect python? Thank you.
>> >>>
>> >>> http://www.openssl.org/news/secadv_20101116.txt
>> >>>
>> >>
>> >> No.
>> >
>> > Well, actually it does, but Python links against the system OpenSSL 
>>on
>> > most platforms (except Windows), so it's up to the OS vendor to 
>>apply
>> > the patch.
>>
>>
>>It does?  If so, I must have misunderstood the vulnerability.  Can you
>>explain how it affects Python?
>
>If I believe the link above:
> 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded and
>uses OpenSSL's internal caching mechanism. Servers that are
>multi-process and/or disable internal session caching are NOT 
>affected. 1D
>
>So, you just have to create a multithreaded TLS server which doesn't
>disable server-side session caching (it is enabled by default according
>to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html 
>)

Hm.  The session cache is enabled by default, but nothing will ever use 
it unless the server specifies a session id using 
SSL_set_session_id_context or SSL_CTX_set_session_id_context.  Python 
doesn't expose these, so I don't think any Python SSL server can set 
them.

The vulnerability announcement isn't 100% clear on this, but I took a 
look at the patch which fixes the issue and it /appears/ as though if a 
client never tries to re-use a session then you will be safe from this 
bug.  However, perhaps this only means that only malicious clients 
(which send a session id even when they can't actually have one) will be 
able to trigger the bug.

Or I may misunderstand how SSL sessions work in OpenSSL entirely.  The 
documentation for them is on par with that for most of the rest of 
OpenSSL.

Jean-Paul

• Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Next message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4