[Python-Dev] OpenSSL Vulnerability (openssl-1.0.0a) (original) (raw)
exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Wed Nov 24 17:23:12 CET 2010
- Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
- Next message: [Python-Dev] [Python-checkins] r86702 - python/branches/py3k/Lib/idlelib/IOBinding.py
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 03:11 pm, solipsis at pitrou.net wrote:
On Wed, 24 Nov 2010 15:01:06 -0000 exarkun at twistedmatrix.com wrote:
> >If I believe the link above: > 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded and >uses OpenSSL's internal caching mechanism. Servers that are >multi-process and/or disable internal session caching are NOT >affected. 1D > >So, you just have to create a multithreaded TLS server which doesn't >disable server-side session caching (it is enabled by default according >to http://www.openssl.org/docs/ssl/SSLCTXsetsessioncachemode.html >)
Hm. The session cache is enabled by default, but nothing will ever use it unless the server specifies a session id using SSLsetsessionidcontext or SSLCTXsetsessionidcontext. Python doesn't expose these, so I don't think any Python SSL server can set them. Well, Python calls SSLCTXsetsessionidcontext() implicitly, starting from 3.2 (precisely so that the session cache gets used). The "documentation" I've found about the "session id context" seems to suggest that a process-wide constant is enough.
Ah. Okay, then Python 3.2 would be vulnerable. Good thing it isn't released yet. ;)
Jean-Paul
- Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
- Next message: [Python-Dev] [Python-checkins] r86702 - python/branches/py3k/Lib/idlelib/IOBinding.py
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]