[PYTHON-CRYPTO] Some issues with M2Crypto 0.18 and timeouts

Jesus Cea jcea at ARGO.ES
Sat Sep 22 07:41:28 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was waiting for M2Crypto 0.18 to solve the GIL issue (previous version
didn't release the python GIL while inside OpenSSL) to update my python
mailing system with POP3 TLS support.

I just spend last night working on it (M2Crypto documentation is very
sparse), and I've found a couple of -serious- issues:

a) If the socket passed to "M2Crypto.SSL.Connection()" has defined a
timeout, the SSL/TLS negotiation will fail. Even if the timeout doesn't
expire.

b) Calls to "connection.set_socket_read_timeout()" and
"connection.set_socket_write_timeout()" seems to hang up or show
messages like "Option not supported by protocol". How can I limit the
time spend in SSL negotiation or waiting for data?. I'm interested in
garantee a maximum (sort) time to SSL negotiation and a configurable and
sort wait in the "recv()" and "send()" method.

Thanks in advance.

A couple of minimal test cases. You must connect your web browser to
port 8877.

First issue:

"""
import M2Crypto

M2Crypto.threading.init()
M2Crypto.Rand.load_file("/dev/urandom",-1)

ctx = M2Crypto.SSL.Context('sslv23')
ctx.set_info_callback()
ctx.load_cert_chain('server.pem')
ctx.set_options(M2Crypto.SSL.op_all | M2Crypto.SSL.op_no_sslv2)
if ctx.set_cipher_list('ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH') != 1:
  print "***No valid ciphers"

import socket
sock = socket.socket()
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('', 8877))
sock.listen(5)

sock,addr=sock.accept()

sock.settimeout(10)  # <- COMMENT THIS LINE AND THE SSL WILL WORK.

conn = M2Crypto.SSL.Connection(ctx, sock)
conn.set_accept_state()
conn.setup_ssl()
conn.accept_ssl()

print conn.recv(99999)

conn.clear()

"""

- --
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
                               _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRvSrCJlgi5GaxT1NAQKuBwQAigzyw+xxguCp9jWqY2iK6oZiMOaSvHnE
MMhZjjy9ElJKGzwsGuiB8c4FXZy0JKjk2TDvzGKPyh30FCosqN7Ag7QJYvdRmNN4
mr3lx7fniaZV8ZHfqq+YvKfTHryIGgLmDRQ/l0UhrnT+LOTqVUdcyvl6nDo0Gioz
6+k2dHe4K/c=
=T00P
-----END PGP SIGNATURE-----

More information about the python-crypto mailing list