[Python-Dev] OpenSSL vulnerability
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Fri Nov 6 23:36:34 CET 2009
On 10:18 pm, janssen at parc.com wrote:
>Guido,
>
>I'm working from <http://extendedsubset.com/Renegotiating_TLS.pdf>.
>
>I believe geremy is right. The current SSL module does not expose much
>of the SSL API, so servers implemented in Python, using it, should
>(fortuituously) be immune to the some of the attacks outlined, simply
>because there's no way to do an application-initiated renegotiation,
>which the first two scenarios presuppose. On the other hand, there's
>no
>way to do application-directed session resumption, either, which might
>be a good add to support new or updated application protocols which
>address this problem.
Also, for Python 2.5 and earlier, any SSL-based code is vulnerable to a
MitM anyway, so this can only be an issue for code using the new APIs in
Python 2.6.
Jean-Paul
More information about the Python-Dev
mailing list