Query on Python 3.2 and supported OpenSSL Versions
Simon Ward
simon+python at bleah.co.uk
Mon May 25 07:07:01 EDT 2015
On Mon, May 25, 2015 at 09:33:06AM +0000, Donal Duane wrote:
>
> Hi Python Users,
>
> I was hoping you might be able to assist me with a query:
>
> 2 Questions:
>
>
> 1. Could Python 3.2, when compiled against OpenSSL 1.0.0j, be
> affected by the poodle bug?
> https://www.openssl.org/~bodo/ssl-poodle.pdf
Yes, POODLE is two things:
1. Due to client‐side fallback mechanisms outside of SSL and TLS, it
is possible to force a client to connect with a different version of
the protocol, i.e. a protocol downgrade.
2. Due to the way padding is implemented in SSL 3.0 there is a padding
oracle attack on CBC mode ciphers. This affects all implementations
of SSL 3.0, and some of TLS 1.0 (but not OpenSSL).
All versions of OpenSSL (that support SSL 3.0) are affected by (2)
because it is inherent in the protocol. The fix is not to allow SSL, and
enable the latest versions of TLS.
Later versions of OpenSSL (0.9.8zc, 1.0.0o, 1.0.1j) added a workaround,
the TLS_FALLBACK_SCSV mechanism, which allows clients to specify when
they have falled back to an earlier version, preventing downgrade
attacks (1). It only works if the both the client and server support the
mechanism, and if SSL 3.0 is used it is still affected by the padding
oracle attack (2).
> 2. If yes - are the following OpenSSL versions approved for use
> with Python 3.2:
I can’t answer for approved but I have builds of Python than use OpenSSL
0.9.8 and 1.0.1 and it should build against any version in these
branches. I also have pyOpenSSL built against these branches.
Simon
--
A complex system that works is invariably found to have evolved from a
simple system that works.—John Gall
More information about the Python-list
mailing list