On 2016-08-31 11:33, M.-A. Lemburg wrote: > On 31.08.2016 10:50, Christian Heimes wrote: >> On 2016-08-31 10:31, M.-A. Lemburg wrote: >>> In all this discussion I have yet to find a compelling security >>> relevant argument for using an 1.0.2 API which is so important >>> that we cannot make this optional at runtime. >>> >>> The only argument Christian reported was this one: >>> >>> """ >>>> BTW: Are there any features in 1.0.2 that we need and would warrant >>>> dropping support for 1.0.1 earlier than Ubuntu 14.04 LTS ? >>> >>> Yes, there are features I want to use, e.g. proper hostname >>> verification. Python's post-handshake verification is a hack and leads >>> to information disclosure. >>> """ >>> >>> Regarding that argument: hostname validation can be done >>> in 1.0.1 by providing a verification hook handler. That's >>> intended and by design, not a hack. 1.0.2 comes with >>> support for hostname validation making this a little easier >>> (you still have to set this up, though). >> >> Are you willing to do implement and maintain this callback? Are you >> willing to do all work? > > Maintain: yes, if needed. > > It is already implemented, so that part isn't hard :-)
No, it is not implemented as callback. It is implemented as post verification step, which is wrong. >> Are you aware how many security bugs we had in our own verification >> code? I'm aware of at least two critical bugs. > > Not that many, given that the host name validation is more > a best practices art rather than one where all participants > implement the standards: > > http://bugs.python.org/issue?%40columns=id%2Cactivity%2Ctitle%2Ccreator%2Cassignee%2Cstatus%2Ctype&%40sort=-activity&%40filter=status&%40action=searchid&ignore=file%3Acontent&%40search_text=match_hostname&submit=search&status=-1%2C1%2C2%2C3 > > The only critical bug I could find was this one (NUL bytes > in subjectAltName): > > http://bugs.python.org/issue18709 > > but as I understand, the true origin of the bug was an OpenSSL > function, not the host name matching code in Python. Ah, I forgot about the NULL bytes issue. The bug is not caused by a problem in OpenSSL. We just the wrong function to convert General Name ASN.1 strings to unicode. Then there are four critical bugs: * NULL bytes in SAN * wrong, insecure RFC for wildcard matching * DoS caused excessive regular expression matching for wildcards * invalid handling of IDNA for wildcard matching IP address verification is still wrong, too. This was my last reply to your mails on this topic. It's clear to me that you are not open to Cory's, Nick's or my arguments and that you won't change your position. More replies are just a waste of my limited time. Instead I'm going to focus on a PEP to define OpenSSL support and to auto-deprecate unsupported OpenSSL versions. The PEP is a very high chance to get accepted. Everybody except you support the plan. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
