[Python-Dev] Python stdlib ssl.SSLContext is missing mode setting ability

M.-A. Lemburg mal at egenix.com
Thu Nov 19 04:58:31 EST 2015 

On 19.11.2015 09:14, Cory Benfield wrote:
> 
>> On 19 Nov 2015, at 03:53, Ben Bangert <ben at groovie.org> wrote:
>>
>> In Python 2 and 3, the ssl module's SSLContext object has a way to set
>> SSL options, but not to set SSL modes.
>>
>> The set_mode command and some of the available modes:
>> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html
>>
>> The most critical mode is SSL_MODE_RELEASE_BUFFERS, which can drop the
>> SSL overhead *per connection* from around 25kb to ~7kb. The pyopenssl
>> library allows the setting of SSLContext modes, it seems very odd that
>> the Python 2/3 ssl modules do not. Though I could understand that
>> perhaps not all SSL libraries Python might build against would have
>> this mode thing available.
>>
> 
> Ben,
> 
> Do we need the ability to set arbitrary modes? Most of the modes mentioned in the OpenSSL documentation are things we actively don’t want the user to set because stuff will randomly break. With that in mind, and with the fact that SSL_MODE_RELEASE_BUFFERS is so obviously better than the standard, should we just instead have the ssl module automatically set SSL_MODE_RELEASE_BUFFERS unconditionally?
> 
> If so, I’m happy to submit a bug/patch to get that to happen.

The mode should only be enabled for OpenSSL versions which are
not affected by this vulnerability:

https://www.rapid7.com/db/vulnerabilities/http-openssl-cve-2014-0198

Other than that it seems like a good way forward. Plenty other
projects have had this enabled per default for years:

http://www.dovecot.org/list/dovecot/2011-October/131381.html
https://svn.boost.org/trac/boost/changeset/71706
https://community.openvpn.net/openvpn/ticket/157

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Nov 19 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...           http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...           http://zope.egenix.com/
________________________________________________________________________
2015-10-23: Released mxODBC Connect 2.1.5 ...     http://egenix.com/go85

::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
                      http://www.malemburg.com/

More information about the Python-Dev mailing list