[Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)

Antoine Pitrou solipsis at pitrou.net
Wed Nov 24 09:02:13 CET 2010 

Le mardi 23 novembre 2010 à 20:56 -0500, Glyph Lefkowitz a écrit :
> On Nov 23, 2010, at 9:02 AM, Antoine Pitrou wrote:
>> > On 2010年11月23日 00:07:09 -0500
> > Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
> >> On Mon, Nov 22, 2010 at 11:13 PM, Hirokazu Yamamoto <
> >> ocean-city at m2.ccsnet.ne.jp> wrote:
> >> 
> >>> Hello. Does this affect python? Thank you.
> >>> 
> >>> http://www.openssl.org/news/secadv_20101116.txt
> >>> 
> >> 
> >> No.
> > 
> > Well, actually it does, but Python links against the system OpenSSL on
> > most platforms (except Windows), so it's up to the OS vendor to apply
> > the patch.
>>> It does? If so, I must have misunderstood the vulnerability. Can you
> explain how it affects Python?

If I believe the link above:
“Any OpenSSL based TLS server is vulnerable if it is multi-threaded and
uses OpenSSL's internal caching mechanism. Servers that are
multi-process and/or disable internal session caching are NOT affected.”
So, you just have to create a multithreaded TLS server which doesn't
disable server-side session caching (it is enabled by default according
to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html )
Regards
Antoine.

More information about the Python-Dev mailing list

AltStyle によって変換されたページ (->オリジナル) /