[Python-Dev] Re: Problem with SSL and socketmodule on Debian Potato?

Guido van Rossum guido@digicool.com
Sat, 14 Apr 2001 20:57:00 -0500 

[Martin]
> > AFAICT, under my patch, when using OpenSSL on a system with EGD, it
> > will do the right thing. On a system with /dev/random, it will produce
> > a runtime warning, then add insecure entropy - in addition to the
> > secure entropy already obtained from /dev/random.
> > 
> > Under what I think is your patch, it will do the right thing on a
> > system with /dev/random. On a system with EGD, it will fail because of
> > the missing entropy.

[Moshe]
> Correct on both. My "worse" is: it would print a warning about using
> an insecure method on systems with /dev/random but without an EGD,
> even though it is secure.

And indeed it does when I tried it on SF's Solaris 8 box, which has
OpenSSL installed and /dev/random.

Even worse (in my view), the error message is as soon as the socket
module is imported!  This is bad, because most uses of socket aren't
interested in its SSl capabilities!

> Note that the EGD stuff is new with 2.1,
> so losing that is not a step backwards from 2.0. Printing a wrong warning
> is a step backwards, so in that sense my patch is more conservative.
>  
> After further contemplation, none of these is a pure win.
> It's up to Guido if he wants to use my patch instead of Martin's
> for 2.1final

I don't like either one.

> *** Modules/socketmodule.c	Sun Mar 18 18:38:50 2001
> --- new	Sat Apr 14 03:53:20 2001
> ***************
> *** 2545,2550 ****
> --- 2545,2551 ----
>   	if (PyDict_SetItemString(d, "SSLType",
>   				 (PyObject *)&SSL_Type) != 0)
>   		return;
> + #if OPENSSL_VERSION_NUMBER < 0x0090510fL

Don't you have this backwards?

>   	if (RAND_status() == 0) {
>   #ifdef USE_EGD
>   		char random_device[MAXPATHLEN+1];
> ***************
> *** 2571,2576 ****
> --- 2572,2578 ----
>   		RAND_seed(random_string, sizeof(random_string));
>   #endif /* USE_EGD */
>   	}
> + #endif /* OPENSSL_VERSION_NUMBER < 0x0090510fL */
>   #endif /* USE_SSL */
>   	PyDict_SetItemString(d, "error", PySocket_Error);
>   	PySocketSock_Type.ob_type = &PyType_Type;

--Guido van Rossum (home page: http://www.python.org/~guido/)