[Python-Dev] Python stdlib ssl.SSLContext is missing mode setting ability
Ben Bangert
ben at groovie.org
Thu Nov 19 10:26:28 EST 2015
On Thu, Nov 19, 2015 at 1:58 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 19.11.2015 09:14, Cory Benfield wrote:
>>
>>> On 19 Nov 2015, at 03:53, Ben Bangert <ben at groovie.org> wrote:
>>>
>>> In Python 2 and 3, the ssl module's SSLContext object has a way to set
>>> SSL options, but not to set SSL modes.
>>>
>>> The set_mode command and some of the available modes:
>>> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html
>>>
>>> The most critical mode is SSL_MODE_RELEASE_BUFFERS, which can drop the
>>> SSL overhead *per connection* from around 25kb to ~7kb. The pyopenssl
>>> library allows the setting of SSLContext modes, it seems very odd that
>>> the Python 2/3 ssl modules do not. Though I could understand that
>>> perhaps not all SSL libraries Python might build against would have
>>> this mode thing available.
>>>
>>
>> Ben,
>>
>> Do we need the ability to set arbitrary modes? Most of the modes mentioned in the OpenSSL documentation are things we actively don’t want the user to set because stuff will randomly break. With that in mind, and with the fact that SSL_MODE_RELEASE_BUFFERS is so obviously better than the standard, should we just instead have the ssl module automatically set SSL_MODE_RELEASE_BUFFERS unconditionally?
>>
>> If so, I’m happy to submit a bug/patch to get that to happen.
>
> The mode should only be enabled for OpenSSL versions which are
> not affected by this vulnerability:
>
> https://www.rapid7.com/db/vulnerabilities/http-openssl-cve-2014-0198
>
> Other than that it seems like a good way forward. Plenty other
> projects have had this enabled per default for years:
I can't think of any other mode to set, setting this with the
condition cited for that vulnerability looks like a good idea.
Cheers,
Ben
More information about the Python-Dev
mailing list