On 03:11 pm, solip...@pitrou.net wrote:
On Wed, 24 Nov 2010 15:01:06 -0000
exar...@twistedmatrix.com wrote:
>
>If I believe the link above:
> 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded
and
>uses OpenSSL's internal caching mechanism. Servers that are
>multi-process and/or disable internal session caching are NOT
>affected. 1D
>
>So, you just have to create a multithreaded TLS server which doesn't
>disable server-side session caching (it is enabled by default
according
>to
http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html
>)
Hm. The session cache is enabled by default, but nothing will ever
use
it unless the server specifies a session id using
SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python
doesn't expose these, so I don't think any Python SSL server can set
them.
Well, Python calls SSL_CTX_set_session_id_context() implicitly,
starting
from 3.2 (precisely so that the session cache gets used). The
"documentation" I've found about the "session id context" seems to
suggest that a process-wide constant is enough.
Ah. Okay, then Python 3.2 would be vulnerable. Good thing it isn't
released yet. ;)
Jean-Paul
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
