On 08:02 am, solip...@pitrou.net wrote:
Le mardi 23 novembre 2010 � 20:56 -0500, Glyph Lefkowitz a �crit :
On Nov 23, 2010, at 9:02 AM, Antoine Pitrou wrote:
> On Tue, 23 Nov 2010 00:07:09 -0500
> Glyph Lefkowitz <gl...@twistedmatrix.com> wrote:
>> On Mon, Nov 22, 2010 at 11:13 PM, Hirokazu Yamamoto <
>> ocean-c...@m2.ccsnet.ne.jp> wrote:
>>
>>> Hello. Does this affect python? Thank you.
>>>
>>> http://www.openssl.org/news/secadv_20101116.txt
>>>
>>
>> No.
>
> Well, actually it does, but Python links against the system OpenSSL
on
> most platforms (except Windows), so it's up to the OS vendor to
apply
> the patch.
It does? If so, I must have misunderstood the vulnerability. Can you
explain how it affects Python?
If I believe the link above:
1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded and
uses OpenSSL's internal caching mechanism. Servers that are
multi-process and/or disable internal session caching are NOT
affected. 1D
So, you just have to create a multithreaded TLS server which doesn't
disable server-side session caching (it is enabled by default according
to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html
)
Hm. The session cache is enabled by default, but nothing will ever use
it unless the server specifies a session id using
SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python
doesn't expose these, so I don't think any Python SSL server can set
them.
The vulnerability announcement isn't 100% clear on this, but I took a
look at the patch which fixes the issue and it /appears/ as though if a
client never tries to re-use a session then you will be safe from this
bug. However, perhaps this only means that only malicious clients
(which send a session id even when they can't actually have one) will be
able to trigger the bug.
Or I may misunderstand how SSL sessions work in OpenSSL entirely. The
documentation for them is on par with that for most of the rest of
OpenSSL.
Jean-Paul
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
