[PYTHON-CRYPTO] Some issues with M2Crypto 0.18 and timeouts

Jesus Cea jcea at ARGO.ES
Wed Oct 3 18:04:34 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heikki Toivonen wrote:
> You are the second or third person to ask about it in M2Crypto in the
> past 4 years, so it is not *that* frequent a request. I suspect most
> people use something more robust than plain M2Crypto for a server
> application (like Apache or Twisted). Client side is a different thing,
> of course.

Definitively M2Crypto, as is, is not suitable for server SSL, since DoS
(Denial of Service) is trivial :-(, unless the programmer fight the BIO
layer, hard.

> If you really want this simple solution, I'd advice first
> trying the patch in the bug I pointed out, and seeing how it works. If
> it does everything you need, reliably, I could consider applying the patch.

The patch proposed is good idea, but it has two problems:

1. SO_RCVTIMEO/SO_SNDTIMEO are *very* non-portable, not universally
supported and, worse, plagued with bugs and inconsistences between OS's
and releases.

2. The patch only considers timeout's in the SSL handshake, not in the
send/receive code, renegotiation, shutdown, etc.

> TLS Lite is pure Python, but can use various other native modules (if
> available) to speed up SSL: http://trevp.net/tlslite/

TLS Lite seems to support asyncronous (timeout) operations, but current
release is a bit dated (2005). Performance is an incognita.

- --
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
                               _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRwO9kZlgi5GaxT1NAQIlGAP/QQLej3bi9JjIGWSbR1krJzVnDvZ6WRP2
Bdco+5ulZFou6Smi6TMxuL6noQMNJo4CCMqBNcxoXP3PLrtzeKd+rNCMEvTgELGV
EZNDYVGv+whEBYF0PiIKYbJrTb1cJvQfv4mnlKPCgya0XzBpaGl/RMU4aMc46RAy
FN2b9m1C9CU=
=8p9p
-----END PGP SIGNATURE-----

More information about the python-crypto mailing list