From helga at velroyen.de Tue Aug 25 15:30:48 2015 From: helga at velroyen.de (Helga Velroyen) Date: Tue, 25 Aug 2015 13:30:48 +0000 Subject: [pyOpenSSL-Users] Disable SSL renegotiation? Message-ID: Hi! Is there a way in pyOpenSSL to disable SSL renegotiation completely (not only the legacy type)? It seems not easy in C already, see here: https://github.com/bumptech/stud/pull/47/files I would basically do something like that, but I don't find anything in pyOpenSSL's docs about the things needed, for example support for the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS option. Any advice on how to disable SSL renegotiation entirely? Btw. my main reason to do that is the computational overhead that is not needed for my use case. Thanks for any hints, Helga -------------- next part -------------- An HTML attachment was scrubbed... URL: From hs at ox.cx Tue Aug 25 16:06:56 2015 From: hs at ox.cx (Hynek Schlawack) Date: Tue, 25 Aug 2015 16:06:56 +0200 Subject: [pyOpenSSL-Users] Disable SSL renegotiation? In-Reply-To: References: Message-ID: <6DEEEED6-49DD-4753-A708-9D8E82F41C42@ox.cx> Hi, > Is there a way in pyOpenSSL to disable SSL renegotiation completely (not only the legacy type)? > > It seems not easy in C already, see here: > https://github.com/bumptech/stud/pull/47/files > > I would basically do something like that, but I don't find anything in pyOpenSSL's docs about the things needed, for example support for the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS option. > > Any advice on how to disable SSL renegotiation entirely? Btw. my main reason to do that is the computational overhead that is not needed for my use case. The main ingredient seems to be the info callback for which we do have an API: http://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_info_callback If I understand correctly, one applies SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS to a SSL connection object?s flags *after* the handshake? I?d suggest to look up the constant in OpenSSL but right I don?t think we actually have means to access SSL.flags (the SSL object is in Connection._ssl if you wanna poke around). :-/ ?h -------------- next part -------------- An HTML attachment was scrubbed... URL: From helga at velroyen.de Wed Aug 26 13:45:36 2015 From: helga at velroyen.de (Helga Velroyen) Date: Wed, 26 Aug 2015 11:45:36 +0000 Subject: [pyOpenSSL-Users] Disable SSL renegotiation? In-Reply-To: <6DEEEED6-49DD-4753-A708-9D8E82F41C42@ox.cx> References: <6DEEEED6-49DD-4753-A708-9D8E82F41C42@ox.cx> Message-ID: Hm, I just found that there is an option for it: SSL_OP_NO_SESSION_RESUMPTION_ ON_RENEGOTIATION but it seems equally unsupported in python openssl. Do you know anything about it? Would using that option be the way to do this? Cheers, Helga On Tue, Aug 25, 2015 at 4:07 PM Hynek Schlawack wrote: > Hi, > > Is there a way in pyOpenSSL to disable SSL renegotiation completely (not > only the legacy type)? > > It seems not easy in C already, see here: > https://github.com/bumptech/stud/pull/47/files > > I would basically do something like that, but I don't find anything in > pyOpenSSL's docs about the things needed, for example support for the > SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS option. > > Any advice on how to disable SSL renegotiation entirely? Btw. my main > reason to do that is the computational overhead that is not needed for my > use case. > > > The main ingredient seems to be the info callback for which we do have an > API: > http://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_info_callback > > If I understand correctly, one applies SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS > to a SSL connection object?s flags *after* the handshake? I?d suggest to > look up the constant in OpenSSL but right I don?t think we actually have > means to access SSL.flags (the SSL object is in Connection._ssl if you > wanna poke around). :-/ > > ?h > _______________________________________________ > pyopenssl-users mailing list > pyopenssl-users at python.org > https://mail.python.org/mailman/listinfo/pyopenssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: