[issue32257] Support Disabling Renegotiation for SSLContext
Qichao Chu
report at bugs.python.org
Sat Dec 9 16:59:16 EST 2017
Qichao Chu <qc.chu at gatech.edu> added the comment:
I don't think it is a bug in OpenSSL. For various reasons, certain applications must allow renegotiation while this leaves security problem for others. That's why if python can control this flag, applications will be more confident in dealing with DoS attacks aimed at renegotiation.
This flag controls not only SSL3 but also TLSv1.1 and TLSv1.2 after testing on Nginx and Gevent.
As of OpenSSL 1.0.2h, in file ssl/s3_lib.c
int ssl3_renegotiate(SSL *s)
{
if (s->handshake_func == NULL)
return (1);
if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
return (0);
s->s3->renegotiate = 1;
return (1);
}
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32257>
_______________________________________
More information about the Python-bugs-list
mailing list