[Python-Dev] OpenSSL Vulnerability (openssl-1.0.0a)
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Wed Nov 24 17:23:12 CET 2010
On 03:11 pm, solipsis at pitrou.net wrote:
>On Wed, 24 Nov 2010 15:01:06 -0000
>exarkun at twistedmatrix.com wrote:
>> >
>> >If I believe the link above:
>> > 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded
>>and
>> >uses OpenSSL's internal caching mechanism. Servers that are
>> >multi-process and/or disable internal session caching are NOT
>> >affected. 1D
>> >
>> >So, you just have to create a multithreaded TLS server which doesn't
>> >disable server-side session caching (it is enabled by default
>>according
>> >to
>>http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html
>> >)
>>
>>Hm. The session cache is enabled by default, but nothing will ever
>>use
>>it unless the server specifies a session id using
>>SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python
>>doesn't expose these, so I don't think any Python SSL server can set
>>them.
>
>Well, Python calls SSL_CTX_set_session_id_context() implicitly,
>starting
>from 3.2 (precisely so that the session cache gets used). The
>"documentation" I've found about the "session id context" seems to
>suggest that a process-wide constant is enough.
Ah. Okay, then Python 3.2 would be vulnerable. Good thing it isn't
released yet. ;)
Jean-Paul
More information about the Python-Dev
mailing list