[issue20994] Disable TLS Compression

2017-09-05 Thread Christian Heimes
Christian Heimes added the comment: Issue #28043 did disable compression along with other improvements. 3.5 is now out of scope but I'm considering to backport #28043 to 2.7. I'm closing this issue in favor of #28043. -- resolution: -> duplicate stage: needs patch -> resolved status:

[issue20994] Disable TLS Compression

2016-09-15 Thread Christian Heimes
Christian Heimes added the comment: For 3.6 and 3.7, _ssl__SSLContext_impl() now sets NO_COMPRESSION. -- assignee: -> christian.heimes components: +SSL versions: -Python 3.6, Python 3.7 ___ Python tracker

[issue20994] Disable TLS Compression

2016-09-08 Thread Christian Heimes
Christian Heimes added the comment: the default context sets context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0), _create_unverified_context() is missing that line. -- stage: -> needs patch type: -> security versions: +Python 3.6, Python 3.7 -Python 3.3, Python 3.4

[issue20994] Disable TLS Compression

2016-09-08 Thread Christian Heimes
Changes by Christian Heimes : -- priority: normal -> high ___ Python tracker ___ ___

[issue20994] Disable TLS Compression

2014-09-30 Thread Georg Brandl
Georg Brandl added the comment: I wouldn't consider this important enough for 3.2; since it lacks the means to do the opt-back-in. -- nosy: +georg.brandl versions: -Python 3.2 ___ Python tracker rep...@bugs.python.org

[issue20994] Disable TLS Compression

2014-08-25 Thread Alex Gaynor
Alex Gaynor added the comment: Pinging on this, since the SSL backport landed, concerns about an inability to change this behavior on python2 are no longer there. At a minimum I think we should include this flag in the default and stdlib contexts. --

[issue20994] Disable TLS Compression

2014-08-25 Thread Antoine Pitrou
Antoine Pitrou added the comment: Now that the backport has landed, I think you're welcome to do any further necessary tweaks. By the way, as mentioned in the comments, I think we could add SSL_OP_NO_COMPRESSION to ssl.OP_ALL in all versions. --

[issue20994] Disable TLS Compression

2014-03-20 Thread Donald Stufft
New submission from Donald Stufft: Since Python 3.3 the ssl module has supported the ability to opt in to disabling TLS Compression [1]. However TLS Compression has the problem that it typically leaks data through an attack known as CRIME. CRIME is specific to HTTP but the type of attack it

[issue20994] Disable TLS Compression

2014-03-20 Thread Antoine Pitrou
Antoine Pitrou added the comment: It would probably be sufficient to add OP_NO_COMPRESSION to OP_ALL. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20994 ___

[issue20994] Disable TLS Compression

2014-03-20 Thread Donald Stufft
Donald Stufft added the comment: Ah, I hadn't noticed the OP_ALL thing, in 3.3+ adding OP_NO_COMPRESSION to OP_ALL would be reasonable. That would disable TLS Compression by default, still provide people the ability to disable TLS Compression if they don't use OP_ALL, and provide a way to

[issue20994] Disable TLS Compression

2014-03-20 Thread Antoine Pitrou
Antoine Pitrou added the comment: Do you think it'd be OK to just disable TLS Compression in 2.7 and 3.2 without the option to turn it back on? I think that would be fine personally. I'm not enough of a TLS expert, but it sounds ok. -- ___ Python

[issue20994] Disable TLS Compression

2014-03-20 Thread Alex Gaynor
Changes by Alex Gaynor alex.gay...@gmail.com: -- nosy: +alex ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20994 ___ ___ Python-bugs-list mailing

[issue20994] Disable TLS Compression

2014-03-20 Thread Alex Stapleton
Alex Stapleton added the comment: CRIME is not universally applicable to all TLS connections and it requires some cooperation from the application to work. In fact for a Python TLS client it seems quite unlikely for an application to be vulnerable. The attack in the paper leverages an

[issue20994] Disable TLS Compression

2014-03-20 Thread Donald Stufft
Donald Stufft added the comment: To be specific it doesn't require any remote code execution to work, it just requires you to be able to influence the content of the responses that the client is receiving. -- ___ Python tracker

[issue20994] Disable TLS Compression

2014-03-20 Thread Donald Stufft
Donald Stufft added the comment: This is a simple patch, it simple disables TLS Compression by default. If a user wants to add it back they can create their own SSLContext and do ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx.options = ~ssl.OP_NO_COMPRESSION This should be able to apply

[issue20994] Disable TLS Compression

2014-03-20 Thread Arfrever Frehtes Taifersar Arahesis
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20994 ___

[issue20994] Disable TLS Compression

2014-03-20 Thread Donald Stufft
Donald Stufft added the comment: Here's the same patch for Python 2.7, it's basically the same thing just at a different location. -- Added file: http://bugs.python.org/file34532/disable-ssl-compression-2.7.diff ___ Python tracker