Am 24.10.2013 13:36, schrieb Victor Stinner: > IMO the best place to fix the bug is in OpenSSL directly: RAND_bytes() > function of OpenSSL can detect a fork using getpid() and add more > entropy (in the child or maybe in the parent process). OpenSSL has > access to entropy sources and knows all mutexes, whereas Python can > only guess the list of mutexes (there are probably many more private > mutexes). OpenSSL may use pthread_atfork() internally.
That's not going to happen anytime soon (if ever). It doesn't solve old installation, too. You are forgetting that ssl.RAND_bytes() and RAND_pseudo_bytes() are our least concern. The problem also affects the TLS/SSL handshake and any internal OpenSSL code that needs a CPRNG. > Reminder: you are supposed to only call exec() after fork(), nothing > else :-) (Only signal-safe functions are officially supported between > exec() and fork()). How are forking web servers suppose to work if you can't use read() or write()? :) _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
