On Wed, 24 Nov 2010 15:01:06 -0000 exar...@twistedmatrix.com wrote: > > > >If I believe the link above: > > 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded and > >uses OpenSSL's internal caching mechanism. Servers that are > >multi-process and/or disable internal session caching are NOT > >affected. 1D > > > >So, you just have to create a multithreaded TLS server which doesn't > >disable server-side session caching (it is enabled by default according > >to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html > >) > > Hm. The session cache is enabled by default, but nothing will ever use > it unless the server specifies a session id using > SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python > doesn't expose these, so I don't think any Python SSL server can set > them.
Well, Python calls SSL_CTX_set_session_id_context() implicitly, starting from 3.2 (precisely so that the session cache gets used). The "documentation" I've found about the "session id context" seems to suggest that a process-wide constant is enough. (and you can verify that caching occurs using the new SSLContext.session_stats() method) > Or I may misunderstand how SSL sessions work in OpenSSL entirely. The > documentation for them is on par with that for most of the rest of > OpenSSL. Agreed. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
