Re: [Python-Dev] OpenSSL vulnerability :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> python-dev

python-dev

Re: [Python-Dev] OpenSSL vulnerability
by exarkun other posts by this author
Nov 6 2009 2:37PM messages near this date

Re: [Python-Dev] OpenSSL vulnerability | Re: [Python-Dev] OpenSSL vulnerability

On 10:18 pm, janssen@[...].com wrote:
> Guido,
> 
> I'm working from <http://extendedsubset.com/Renegotiating_TLS.pdf>.
> 
> I believe geremy is right.  The current SSL module does not expose much
> of the SSL API, so servers implemented in Python, using it, should
> (fortuituously) be immune to the some of the attacks outlined, simply
> because there's no way to do an application-initiated renegotiation,
> which the first two scenarios presuppose.  On the other hand, there's 
> no
> way to do application-directed session resumption, either, which might
> be a good add to support new or updated application protocols which
> address this problem.

Also, for Python 2.5 and earlier, any SSL-based code is vulnerable to a 
MitM anyway, so this can only be an issue for code using the new APIs in 
Python 2.6.

Jean-Paul
_______________________________________________
Python-Dev mailing list
Python-Dev@[...].org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/python-dev-ml%40maillist.acti
vestate.com

Thread:

Guido van Rossum

Bill Janssen

exarkun

Guido van Rossum

Georg Brandl

martin

Barry Warsaw

Nick Coghlan

Barry Warsaw

Geremy Condra