On Wed, 24 Nov 2010 15:01:06 -0000 exarkun at twistedmatrix.com wrote: > > > >If I believe the link above: > > 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded and > >uses OpenSSL's internal caching mechanism. Servers that are > >multi-process and/or disable internal session caching are NOT > >affected. 1D > > > >So, you just have to create a multithreaded TLS server which doesn't > >disable server-side session caching (it is enabled by default according > >to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html > >) > > Hm. The session cache is enabled by default, but nothing will ever use > it unless the server specifies a session id using > SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python > doesn't expose these, so I don't think any Python SSL server can set > them. Well, Python calls SSL_CTX_set_session_id_context() implicitly, starting from 3.2 (precisely so that the session cache gets used). The "documentation" I've found about the "session id context" seems to suggest that a process-wide constant is enough. (and you can verify that caching occurs using the new SSLContext.session_stats() method) > Or I may misunderstand how SSL sessions work in OpenSSL entirely. The > documentation for them is on par with that for most of the rest of > OpenSSL. Agreed. Regards Antoine.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4