On Thu, Nov 19, 2015 at 1:58 AM, M.-A. Lemburg <m...@egenix.com> wrote: > On 19.11.2015 09:14, Cory Benfield wrote: >> >>> On 19 Nov 2015, at 03:53, Ben Bangert <b...@groovie.org> wrote: >>> >>> In Python 2 and 3, the ssl module's SSLContext object has a way to set >>> SSL options, but not to set SSL modes. >>> >>> The set_mode command and some of the available modes: >>> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html >>> >>> The most critical mode is SSL_MODE_RELEASE_BUFFERS, which can drop the >>> SSL overhead *per connection* from around 25kb to ~7kb. The pyopenssl >>> library allows the setting of SSLContext modes, it seems very odd that >>> the Python 2/3 ssl modules do not. Though I could understand that >>> perhaps not all SSL libraries Python might build against would have >>> this mode thing available. >>> >> >> Ben, >> >> Do we need the ability to set arbitrary modes? Most of the modes mentioned >> in the OpenSSL documentation are things we actively don’t want the user to >> set because stuff will randomly break. With that in mind, and with the fact >> that SSL_MODE_RELEASE_BUFFERS is so obviously better than the standard, >> should we just instead have the ssl module automatically set >> SSL_MODE_RELEASE_BUFFERS unconditionally? >> >> If so, I’m happy to submit a bug/patch to get that to happen. > > The mode should only be enabled for OpenSSL versions which are > not affected by this vulnerability: > > https://www.rapid7.com/db/vulnerabilities/http-openssl-cve-2014-0198 > > Other than that it seems like a good way forward. Plenty other > projects have had this enabled per default for years:
I can't think of any other mode to set, setting this with the condition cited for that vulnerability looks like a good idea. Cheers, Ben _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
