[Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a) (original) (raw)
Antoine Pitrou solipsis at pitrou.net
Wed Nov 24 09:02:13 CET 2010
- Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
- Next message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Le mardi 23 novembre 2010 à 20:56 -0500, Glyph Lefkowitz a écrit :
On Nov 23, 2010, at 9:02 AM, Antoine Pitrou wrote:
> On Tue, 23 Nov 2010 00:07:09 -0500 > Glyph Lefkowitz <glyph at twistedmatrix.com> wrote: >> On Mon, Nov 22, 2010 at 11:13 PM, Hirokazu Yamamoto <_ _>> ocean-city at m2.ccsnet.ne.jp> wrote: >> >>> Hello. Does this affect python? Thank you. >>> >>> http://www.openssl.org/news/secadv20101116.txt >>> >> >> No. > > Well, actually it does, but Python links against the system OpenSSL on > most platforms (except Windows), so it's up to the OS vendor to apply > the patch.
It does? If so, I must have misunderstood the vulnerability. Can you explain how it affects Python?
If I believe the link above: “Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.”
So, you just have to create a multithreaded TLS server which doesn't disable server-side session caching (it is enabled by default according to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html )
Regards
Antoine.
- Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
- Next message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]