[Python-Dev] Supported versions of OpenSSL

M.-A. Lemburg mal at egenix.com
Wed Aug 31 05:33:49 EDT 2016 

On 31.08.2016 10:50, Christian Heimes wrote:
> On 2016-08-31 10:31, M.-A. Lemburg wrote:
>> In all this discussion I have yet to find a compelling security
>> relevant argument for using an 1.0.2 API which is so important
>> that we cannot make this optional at runtime.
>>
>> The only argument Christian reported was this one:
>>
>> """
>>> BTW: Are there any features in 1.0.2 that we need and would warrant
>>> dropping support for 1.0.1 earlier than Ubuntu 14.04 LTS ?
>>
>> Yes, there are features I want to use, e.g. proper hostname
>> verification. Python's post-handshake verification is a hack and leads
>> to information disclosure.
>> """
>>
>> Regarding that argument: hostname validation can be done
>> in 1.0.1 by providing a verification hook handler. That's
>> intended and by design, not a hack. 1.0.2 comes with
>> support for hostname validation making this a little easier
>> (you still have to set this up, though).
> 
> Are you willing to do implement and maintain this callback? Are you
> willing to do all work?

Maintain: yes, if needed.

It is already implemented, so that part isn't hard :-)

> Are you aware how many security bugs we had in our own verification
> code? I'm aware of at least two critical bugs.

Not that many, given that the host name validation is more
a best practices art rather than one where all participants
implement the standards:

http://bugs.python.org/issue?%40columns=id%2Cactivity%2Ctitle%2Ccreator%2Cassignee%2Cstatus%2Ctype&%40sort=-activity&%40filter=status&%40action=searchid&ignore=file%3Acontent&%40search_text=match_hostname&submit=search&status=-1%2C1%2C2%2C3

The only critical bug I could find was this one (NUL bytes
in subjectAltName):

http://bugs.python.org/issue18709

but as I understand, the true origin of the bug was an OpenSSL
function, not the host name matching code in Python.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Aug 31 2016)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...           http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...           http://zope.egenix.com/
________________________________________________________________________

::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
                      http://www.malemburg.com/

More information about the Python-Dev mailing list