[issue32257] Support Disabling Renegotiation for SSLContext
Nathaniel Smith
report at bugs.python.org
Sun Dec 10 15:21:26 EST 2017
Nathaniel Smith <njs at pobox.com> added the comment:
It looks like openssl master has SSL_OP_NO_RENEGOTIATION: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
Before that, I guess one could use SSL_CTX_sess_{connect,accept}_renegotiate to detect when a renegotiation has occurred and then error out? Admittedly this is more effective in nonblocking or memorybio mode. Or you could do something similar with the info callback: allow the current operation to succeed, but mark the connection as "poisoned". (Heck, in socket bio mode you could flat out close the socket. That'll shut things down.)
For bonus annoyance, note that RFC 7240 does allow implementations to support renegotiation that happens before any data is exchanged, to allow for the encrypted client cert hack.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32257>
_______________________________________
More information about the Python-bugs-list
mailing list