[issue13885] CVE-2011-3389: _ssl module always disables the CBC IV attack countermeasure
Tomas Hoger
report at bugs.python.org
Tue Mar 13 13:25:52 CET 2012
Tomas Hoger <thoger at redhat.com> added the comment:
Is the final patch going to enable empty fragments unconditionally and will ofter no way to disable them?
curl did that recently and ended up adding option to allow users to disable empty fragments when they break compatibility:
http://curl.haxx.se/docs/adv_20120124B.html
http://thread.gmane.org/gmane.comp.web.curl.library/34659
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLOPTIONS
http://curl.haxx.se/docs/manpage.html#--ssl-allow-beast
----------
nosy: +thoger
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13885>
_______________________________________
More information about the Python-bugs-list
mailing list