A big security breach of SSL 3.0 just dropped a little while ago (named POODLE). With this there is now no ability to securely connect via SSL 3.0. I believe that we should disable SSL 3.0 in Python similarly to how SSL 2.0 is disabled, where it is disabled by default unless the user has explicitly re-enabled it. The new attack essentially allows reading the sensitive data from within a SSL 3.0 connection stream. It takes roughly 256 requests to break a single byte so the attack is very practical. You can read more about the attack here at the google announcement [1] or the whitepaper [2]. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploitin... [2] https://www.openssl.org/~bodo/ssl-poodle.pdf --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Hi,
I opened an issue to track this vulnerability:
http://bugs.python.org/issue22638
SSL 3.0 is 8 years old, I guess that TLS is now widely deployed and
well supported?
I guess that Linux vendors will have to fix the issues directly in
OpenSSL directly. Should Python only be changed on Windows?
Or do you want to modify Python to disable SSLv3 in the ssl module?
OpenSSL provides a SSL_OP_NO_SSLv2 option for SSL context. Is there a
SSL_OP_NO_SSLv3 option? Or only change the constructor of
ssl.SSLContext?
Victor
2014-10-15 1:00 GMT+02:00 Donald Stufft
A big security breach of SSL 3.0 just dropped a little while ago (named POODLE). With this there is now no ability to securely connect via SSL 3.0. I believe that we should disable SSL 3.0 in Python similarly to how SSL 2.0 is disabled, where it is disabled by default unless the user has explicitly re-enabled it.
The new attack essentially allows reading the sensitive data from within a SSL 3.0 connection stream. It takes roughly 256 requests to break a single byte so the attack is very practical. You can read more about the attack here at the google announcement [1] or the whitepaper [2].
[1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploitin... [2] https://www.openssl.org/~bodo/ssl-poodle.pdf
--- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/victor.stinner%40gmail.co...
On Wed, 15 Oct 2014 01:16:26 +0200
Victor Stinner
Hi,
I opened an issue to track this vulnerability: http://bugs.python.org/issue22638
SSL 3.0 is 8 years old, I guess that TLS is now widely deployed and well supported?
I guess that Linux vendors will have to fix the issues directly in OpenSSL directly. Should Python only be changed on Windows?
If OpenSSL gets a patch, we can simply update the OpenSSL version used for Windows installers.
Or do you want to modify Python to disable SSLv3 in the ssl module? OpenSSL provides a SSL_OP_NO_SSLv2 option for SSL context. Is there a SSL_OP_NO_SSLv3 option? Or only change the constructor of ssl.SSLContext?
Please let's not have this discussion on two different channels. *Either* the bug tracker or the mailing-list. Thank you Antoine.
participants (3)
-
Antoine Pitrou -
Donald Stufft -
Victor Stinner