On Jun 7, 2017 6:29 AM, "Victor Stinner" <[email protected]> wrote:
2017年06月07日 10:56 GMT+02:00 Nathaniel Smith <[email protected]>: > Another testing challenge is that the stdlib ssl module has no way to > trigger a renegotiation, and therefore there's no way to write tests > to check that it properly handles a renegotiation, even though > renegotiation is by far the trickiest part of the protocol to get > right. (In particular, renegotiation is the only case where attempting > to read can give WantWrite and vice-versa.) Renegociation was the source of a vulnerability in SSL/TLS protocols, so maybe it's a good thing that it's not implemented :-) https://www.rapid7.com/db/vulnerabilities/tls-sess-renegotiation Renegociation was removed from the new TLS 1.3 protocol: https://tlswg.github.io/tls13-spec/ "TLS 1.3 forbids renegotiation" Oh, sure, renegotiation is awful, no question. The HTTP/2 spec also forbids it. But it does still get used and python totally implements it :-). If python is talking to some peer and the peer says "hey, let's renegotiate now" then it will. There just aren't any tests for what happens next. Not that this has much to do with MemoryBIOs. Sorry for the tangent. -n
_______________________________________________ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com