Python OpenSSL library
geremy condra
debatem1 at gmail.com
Tue Jun 15 16:40:42 EDT 2010
On Tue, Jun 15, 2010 at 1:27 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Mon, 14 Jun 2010 19:47:49 +0100
> Nobody <nobody at nowhere.com> wrote:
>> On Mon, 14 Jun 2010 10:43:02 -0700, John Nagle wrote:
>>
>> > The new SSL module in Python 2.6
>>
>> There isn't an SSL module in Python 2.6. There is a module named "ssl"
>> which pretends to implement SSL, but in fact doesn't.
>
> What do you mean by "doesn't"?
> Can you point to an open bug report describing the issue?
He's describing the lack of hostname checking, discussed here[0],
here[1], and in my pycon lightning talk last year, wherever those
are kept. My understanding is that it has led to vulnerabilities in
code deployed by Red Hat and several other vendors; if you need
to speak with them I can probably get the people involved in that
effort to come forward privately.
Both the lead for M2Crypto and the authors of zc.ssl have publicly
stated that this needs to be fixed.
Geremy Condra
[0] http://mail.python.org/pipermail/python-list/2010-April/1242166.html
[1] http://bugs.python.org/issue1589
More information about the Python-list
mailing list