[Python-Dev] Supported versions of OpenSSL (original) (raw)

M.-A. Lemburg mal at egenix.com
Wed Aug 31 05:33:49 EDT 2016

• Previous message (by thread): [Python-Dev] Supported versions of OpenSSL
• Next message (by thread): [Python-Dev] Supported versions of OpenSSL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 31.08.2016 10:50, Christian Heimes wrote:

On 2016-08-31 10:31, M.-A. Lemburg wrote:

In all this discussion I have yet to find a compelling security relevant argument for using an 1.0.2 API which is so important that we cannot make this optional at runtime.

The only argument Christian reported was this one: """ BTW: Are there any features in 1.0.2 that we need and would warrant dropping support for 1.0.1 earlier than Ubuntu 14.04 LTS ? Yes, there are features I want to use, e.g. proper hostname verification. Python's post-handshake verification is a hack and leads to information disclosure. """ Regarding that argument: hostname validation can be done in 1.0.1 by providing a verification hook handler. That's intended and by design, not a hack. 1.0.2 comes with support for hostname validation making this a little easier (you still have to set this up, though). Are you willing to do implement and maintain this callback? Are you willing to do all work?

Maintain: yes, if needed.

It is already implemented, so that part isn't hard :-)

Are you aware how many security bugs we had in our own verification code? I'm aware of at least two critical bugs.

Not that many, given that the host name validation is more a best practices art rather than one where all participants implement the standards:

http://bugs.python.org/issue?%40columns=id%2Cactivity%2Ctitle%2Ccreator%2Cassignee%2Cstatus%2Ctype&%40sort=-activity&%40filter=status&%40action=searchid&ignore=file%3Acontent&%40search_text=match_hostname&submit=search&status=-1%2C1%2C2%2C3

The only critical bug I could find was this one (NUL bytes in subjectAltName):

http://bugs.python.org/issue18709

but as I understand, the true origin of the bug was an OpenSSL function, not the host name matching code in Python.

-- Marc-Andre Lemburg eGenix.com

Professional Python Services directly from the Experts (#1, Aug 31 2016)

Python Projects, Coaching and Consulting ... http://www.egenix.com/ Python Database Interfaces ... http://products.egenix.com/ Plone/Zope Database Interfaces ... http://zope.egenix.com/

::: We implement business ideas - efficiently in both time and costs :::

eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/

• Previous message (by thread): [Python-Dev] Supported versions of OpenSSL
• Next message (by thread): [Python-Dev] Supported versions of OpenSSL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list