[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Cory Benfield cory at lukasa.co.uk
Wed Jun 7 09:33:34 EDT 2017


> On 7 Jun 2017, at 14:29, Victor Stinner <victor.stinner at gmail.com> wrote:
> 
> 2017-06-07 10:56 GMT+02:00 Nathaniel Smith <njs at pobox.com>:
>> Another testing challenge is that the stdlib ssl module has no way to
>> trigger a renegotiation, and therefore there's no way to write tests
>> to check that it properly handles a renegotiation, even though
>> renegotiation is by far the trickiest part of the protocol to get
>> right. (In particular, renegotiation is the only case where attempting
>> to read can give WantWrite and vice-versa.)
> 
> Renegociation was the source of a vulnerability in SSL/TLS protocols,
> so maybe it's a good thing that it's not implemented :-)
> https://www.rapid7.com/db/vulnerabilities/tls-sess-renegotiation
> 
> Renegociation was removed from the new TLS 1.3 protocol:
> https://tlswg.github.io/tls13-spec/
> "TLS 1.3 forbids renegotiation"

Renegotiation remains extremely widely deployed with TLS client certificates in enterprise environments, sadly.

Cory


More information about the Python-Dev mailing list