[Python-Dev] Supported versions of OpenSSL
M.-A. Lemburg
mal at egenix.com
Wed Aug 31 05:33:49 EDT 2016
On 31.08.2016 10:50, Christian Heimes wrote:
> On 2016-08-31 10:31, M.-A. Lemburg wrote:
>> In all this discussion I have yet to find a compelling security
>> relevant argument for using an 1.0.2 API which is so important
>> that we cannot make this optional at runtime.
>>
>> The only argument Christian reported was this one:
>>
>> """
>>> BTW: Are there any features in 1.0.2 that we need and would warrant
>>> dropping support for 1.0.1 earlier than Ubuntu 14.04 LTS ?
>>
>> Yes, there are features I want to use, e.g. proper hostname
>> verification. Python's post-handshake verification is a hack and leads
>> to information disclosure.
>> """
>>
>> Regarding that argument: hostname validation can be done
>> in 1.0.1 by providing a verification hook handler. That's
>> intended and by design, not a hack. 1.0.2 comes with
>> support for hostname validation making this a little easier
>> (you still have to set this up, though).
>
> Are you willing to do implement and maintain this callback? Are you
> willing to do all work?
Maintain: yes, if needed.
It is already implemented, so that part isn't hard :-)
> Are you aware how many security bugs we had in our own verification
> code? I'm aware of at least two critical bugs.
Not that many, given that the host name validation is more
a best practices art rather than one where all participants
implement the standards:
http://bugs.python.org/issue?%40columns=id%2Cactivity%2Ctitle%2Ccreator%2Cassignee%2Cstatus%2Ctype&%40sort=-activity&%40filter=status&%40action=searchid&ignore=file%3Acontent&%40search_text=match_hostname&submit=search&status=-1%2C1%2C2%2C3
The only critical bug I could find was this one (NUL bytes
in subjectAltName):
http://bugs.python.org/issue18709
but as I understand, the true origin of the bug was an OpenSSL
function, not the host name matching code in Python.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Experts (#1, Aug 31 2016)
>>> Python Projects, Coaching and Consulting ... http://www.egenix.com/
>>> Python Database Interfaces ... http://products.egenix.com/
>>> Plone/Zope Database Interfaces ... http://zope.egenix.com/
________________________________________________________________________
::: We implement business ideas - efficiently in both time and costs :::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
http://www.malemburg.com/
More information about the Python-Dev
mailing list