Re: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)

On 08:02 am, solipsis@pitrou.net wrote:

Le mardi 23 novembre 2010 � 20:56 -0500, Glyph Lefkowitz a �crit :

...

On Nov 23, 2010, at 9:02 AM, Antoine Pitrou wrote:

...

On Tue, 23 Nov 2010 00:07:09 -0500 Glyph Lefkowitz wrote:

...

On Mon, Nov 22, 2010 at 11:13 PM, Hirokazu Yamamoto < ocean-city@m2.ccsnet.ne.jp> wrote:

...

Hello. Does this affect python? Thank you.

http://www.openssl.org/news/secadv_20101116.txt

No.

Well, actually it does, but Python links against the system OpenSSL on most platforms (except Windows), so it's up to the OS vendor to apply the patch.

It does? If so, I must have misunderstood the vulnerability. Can you explain how it affects Python?

If I believe the link above: 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected. 1D

So, you just have to create a multithreaded TLS server which doesn't disable server-side session caching (it is enabled by default according to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html )

Hm. The session cache is enabled by default, but nothing will ever use it unless the server specifies a session id using SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python doesn't expose these, so I don't think any Python SSL server can set them. The vulnerability announcement isn't 100% clear on this, but I took a look at the patch which fixes the issue and it /appears/ as though if a client never tries to re-use a session then you will be safe from this bug. However, perhaps this only means that only malicious clients (which send a session id even when they can't actually have one) will be able to trigger the bug. Or I may misunderstand how SSL sessions work in OpenSSL entirely. The documentation for them is on par with that for most of the rest of OpenSSL. Jean-Paul