[Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)

Antoine Pitrou solipsis at pitrou.net
Wed Nov 24 16:11:20 CET 2010

• Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Next message: [Python-Dev] OpenSSL Vulnerability (openssl-1.0.0a)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

On 2010年11月24日 15:01:06 -0000
exarkun at twistedmatrix.com wrote:
> >
> >If I believe the link above:
> > 1CAny OpenSSL based TLS server is vulnerable if it is multi-threaded and
> >uses OpenSSL's internal caching mechanism. Servers that are
> >multi-process and/or disable internal session caching are NOT 
> >affected. 1D
> >
> >So, you just have to create a multithreaded TLS server which doesn't
> >disable server-side session caching (it is enabled by default according
> >to http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html 
> >)
>> Hm. The session cache is enabled by default, but nothing will ever use 
> it unless the server specifies a session id using 
> SSL_set_session_id_context or SSL_CTX_set_session_id_context. Python 
> doesn't expose these, so I don't think any Python SSL server can set 
> them.

Well, Python calls SSL_CTX_set_session_id_context() implicitly, starting
from 3.2 (precisely so that the session cache gets used). The
"documentation" I've found about the "session id context" seems to
suggest that a process-wide constant is enough.
(and you can verify that caching occurs using the new
SSLContext.session_stats() method)
> Or I may misunderstand how SSL sessions work in OpenSSL entirely. The 
> documentation for them is on par with that for most of the rest of 
> OpenSSL.

Agreed.
Regards
Antoine.

---

• Previous message: [Python-Dev] OpenSSL Voluntarily (openssl-1.0.0a)
• Next message: [Python-Dev] OpenSSL Vulnerability (openssl-1.0.0a)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-Dev mailing list