[Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a) (original) (raw)

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Wed Nov 24 16:01:06 CET 2010

• Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Next message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08:02 am, solipsis at pitrou.net wrote:

Le mardi 23 novembre 2010 à 20:56 -0500, Glyph Lefkowitz a écrit :

On Nov 23, 2010, at 9:02 AM, Antoine Pitrou wrote:

> On Tue, 23 Nov 2010 00:07:09 -0500 > Glyph Lefkowitz <glyph at twistedmatrix.com> wrote: >> On Mon, Nov 22, 2010 at 11:13 PM, Hirokazu Yamamoto <_ _>> ocean-city at m2.ccsnet.ne.jp> wrote: >> >>> Hello. Does this affect python? Thank you. >>> >>> http://www.openssl.org/news/secadv20101116.txt >>> >> >> No. > > Well, actually it does, but Python links against the system OpenSSL on > most platforms (except Windows), so it's up to the OS vendor to apply > the patch.

It does? If so, I must have misunderstood the vulnerability. Can you explain how it affects Python? If I believe the link above: 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected. 1D So, you just have to create a multithreaded TLS server which doesn't disable server-side session caching (it is enabled by default according to http://www.openssl.org/docs/ssl/SSLCTXsetsessioncachemode.html )

Hm. The session cache is enabled by default, but nothing will ever use it unless the server specifies a session id using SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python doesn't expose these, so I don't think any Python SSL server can set them.

The vulnerability announcement isn't 100% clear on this, but I took a look at the patch which fixes the issue and it /appears/ as though if a client never tries to re-use a session then you will be safe from this bug. However, perhaps this only means that only malicious clients (which send a session id even when they can't actually have one) will be able to trigger the bug.

Or I may misunderstand how SSL sessions work in OpenSSL entirely. The documentation for them is on par with that for most of the rest of OpenSSL.

Jean-Paul

• Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Next message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list