[Python-Dev] OpenSSL vulnerability
geremy condra
debatem1 at gmail.com
Fri Nov 6 22:15:52 CET 2009
On Fri, Nov 6, 2009 at 3:22 PM, Guido van Rossum <guido at python.org> wrote:
> Now that a new SSL vulnerability is out
> (http://extendedsubset.com/?p=8) should we regenerate binary
> distributions that include copies of openssl (I think only the Windows
> MSIs) ?
>
> Does it affect any of our ssl APIs?
>
> --
> --Guido van Rossum (python.org/~guido)
The proposal on the table is to add a TLS extension that
takes care of the problem, leave clients unchanged, and
to stop servers from rehandshaking with clients that don't
support the extension. AFAICS, that's all supposed to be
handled by openssl. Certainly the EVP stuff won't need
to be modified.
The version of openssl being distributed should definitely
be brought up to 0.9.8l though.
Geremy Condra
More information about the Python-Dev
mailing list