Le mardi 23 novembre 2010 à 20:56 -0500, Glyph Lefkowitz a écrit : > On Nov 23, 2010, at 9:02 AM, Antoine Pitrou wrote: > > > On Tue, 23 Nov 2010 00:07:09 -0500 > > Glyph Lefkowitz <gl...@twistedmatrix.com> wrote: > >> On Mon, Nov 22, 2010 at 11:13 PM, Hirokazu Yamamoto < > >> ocean-c...@m2.ccsnet.ne.jp> wrote: > >> > >>> Hello. Does this affect python? Thank you. > >>> > >>> http://www.openssl.org/news/secadv_20101116.txt > >>> > >> > >> No. > > > > Well, actually it does, but Python links against the system OpenSSL on > > most platforms (except Windows), so it's up to the OS vendor to apply > > the patch. > > > It does? If so, I must have misunderstood the vulnerability. Can you > explain how it affects Python?
If I believe the link above: “Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.” So, you just have to create a multithreaded TLS server which doesn't disable server-side session caching (it is enabled by default according to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html ) Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
