[Python-checkins] cpython (2.7): Issue #18747: document issue with OpenSSL's CPRNG state and fork
christian.heimes
python-checkins at python.org
Tue Oct 29 21:18:33 CET 2013
http://hg.python.org/cpython/rev/22e166d5c4c7
changeset: 86754:22e166d5c4c7
branch: 2.7
user: Christian Heimes <christian at cheimes.de>
date: Tue Oct 29 21:08:56 2013 +0100
summary:
Issue #18747: document issue with OpenSSL's CPRNG state and fork
files:
Doc/library/os.rst | 4 ++++
Doc/library/ssl.rst | 8 ++++++++
2 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/Doc/library/os.rst b/Doc/library/os.rst
--- a/Doc/library/os.rst
+++ b/Doc/library/os.rst
@@ -1936,6 +1936,10 @@
Note that some platforms including FreeBSD <= 6.3, Cygwin and OS/2 EMX have
known issues when using fork() from a thread.
+ .. warning::
+
+ See :mod:`ssl` for applications that use the SSL module with fork().
+
Availability: Unix.
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -30,6 +30,14 @@
operating system socket APIs. The installed version of OpenSSL may also
cause variations in behavior.
+.. warning::
+
+ OpenSSL's internal random number generator does not properly handle fork.
+ Applications must change the PRNG state of the parent process if they use
+ any SSL feature with with :func:`os.fork`. Any successful call of
+ :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
+ :func:`~ssl.RAND_pseudo_bytes` is sufficient.
+
This section documents the objects and functions in the ``ssl`` module; for more
general information about TLS, SSL, and certificates, the reader is referred to
the documents in the "See Also" section at the bottom.
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list