[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Nathaniel Smith njs at pobox.com
Wed Jun 7 14:49:38 EDT 2017


On Jun 7, 2017 6:29 AM, "Victor Stinner" <victor.stinner at gmail.com> wrote:

2017-06-07 10:56 GMT+02:00 Nathaniel Smith <njs at pobox.com>:
> Another testing challenge is that the stdlib ssl module has no way to
> trigger a renegotiation, and therefore there's no way to write tests
> to check that it properly handles a renegotiation, even though
> renegotiation is by far the trickiest part of the protocol to get
> right. (In particular, renegotiation is the only case where attempting
> to read can give WantWrite and vice-versa.)

Renegociation was the source of a vulnerability in SSL/TLS protocols,
so maybe it's a good thing that it's not implemented :-)
https://www.rapid7.com/db/vulnerabilities/tls-sess-renegotiation

Renegociation was removed from the new TLS 1.3 protocol:
https://tlswg.github.io/tls13-spec/
"TLS 1.3 forbids renegotiation"


Oh, sure, renegotiation is awful, no question. The HTTP/2 spec also forbids
it. But it does still get used and python totally implements it :-). If
python is talking to some peer and the peer says "hey, let's renegotiate
now" then it will. There just aren't any tests for what happens next.

Not that this has much to do with MemoryBIOs. Sorry for the tangent.

-n
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170607/086598c4/attachment.html>


More information about the Python-Dev mailing list