[pyOpenSSL-Users] Disable SSL renegotiation?
Hynek Schlawack
hs at ox.cx
Tue Aug 25 16:06:56 CEST 2015
Hi,
> Is there a way in pyOpenSSL to disable SSL renegotiation completely (not only the legacy type)?
>
> It seems not easy in C already, see here:
> https://github.com/bumptech/stud/pull/47/files <https://github.com/bumptech/stud/pull/47/files>
>
> I would basically do something like that, but I don't find anything in pyOpenSSL's docs about the things needed, for example support for the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS option.
>
> Any advice on how to disable SSL renegotiation entirely? Btw. my main reason to do that is the computational overhead that is not needed for my use case.
The main ingredient seems to be the info callback for which we do have an API: http://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_info_callback <http://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_info_callback>
If I understand correctly, one applies SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS to a SSL connection object’s flags *after* the handshake? I’d suggest to look up the constant in OpenSSL but right I don’t think we actually have means to access SSL.flags (the SSL object is in Connection._ssl if you wanna poke around). :-/
—h
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pyopenssl-users/attachments/20150825/5067220d/attachment.html>
More information about the pyopenssl-users
mailing list