Nathaniel Smith <n...@pobox.com> added the comment:
It looks like openssl master has SSL_OP_NO_RENEGOTIATION:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
Before that, I guess one could use SSL_CTX_sess_{connect,accept}_renegotiate to
detect when a renegotiation has occurred and then error out? Admittedly this is
more effective in nonblocking or memorybio mode. Or you could do something
similar with the info callback: allow the current operation to succeed, but
mark the connection as "poisoned". (Heck, in socket bio mode you could flat out
close the socket. That'll shut things down.)
For bonus annoyance, note that RFC 7240 does allow implementations to support
renegotiation that happens before any data is exchanged, to allow for the
encrypted client cert hack.
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
