[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-10 Thread Qichao Chu 

Qichao Chu <qc@gatech.edu> added the comment:

Thanks Christian! Let's wait for OpenSSL then.
I will close this bug for now and reopen when OpenSSL releases 1.1.1 with the 
new flag.

--
resolution:  -> later
stage: patch review -> resolved
status: open -> closed

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-10 Thread Qichao Chu 

Qichao Chu <qc@gatech.edu> added the comment:

How about exposing the internal ssl object? This will allow applications to 
control the flag.

--

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-10 Thread Qichao Chu 

Qichao Chu <qc@gatech.edu> added the comment:

Thank you for the investigation. This does seem better than the flag. Shall we 
go ahead implement this?

--

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-09 Thread Qichao Chu 

Qichao Chu <qc@gatech.edu> added the comment:

I don't think it is a bug in OpenSSL. For various reasons, certain applications 
must allow renegotiation while this leaves security problem for others. That's 
why if python can control this flag, applications will be more confident in 
dealing with DoS attacks aimed at renegotiation.

This flag controls not only SSL3 but also TLSv1.1 and TLSv1.2 after testing on 
Nginx and Gevent. 

As of OpenSSL 1.0.2h, in file ssl/s3_lib.c

int ssl3_renegotiate(SSL *s)
{
if (s->handshake_func == NULL)
return (1);

if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
return (0);

s->s3->renegotiate = 1;
return (1);
}

--

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-09 Thread Qichao Chu 

Qichao Chu <qc@gatech.edu> added the comment:

Hi Christian,

Thank you for review! I have changed the code to directly setting this flag by 
using s3->flag. Code is copied from nginx repo: 
https://github.com/nginx/nginx/blob/ed0cc4d52308b75ab217724392994e6828af4fda/src/event/ngx_event_openssl.c.

I think this change is still needed. Although OpenSSL claimed it is fixed, 
THC-SSL-DOS showed it is vulnerable. If this is not the case, then nginx won't 
need to set the flag.

Thanks,
Qichao

--

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu 

Change by Qichao Chu <qc@gatech.edu>:


--
pull_requests:  -4664

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu 

Change by Qichao Chu <qc@gatech.edu>:


--
pull_requests:  -4665

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu 

Change by Qichao Chu <qc@gatech.edu>:


--
pull_requests: +4666

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu 

Change by Qichao Chu <qc@gatech.edu>:


--
pull_requests: +4665

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu 

Change by Qichao Chu <qc@gatech.edu>:


--
keywords: +patch
pull_requests: +4664
stage:  -> patch review

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu 

New submission from Qichao Chu <qc@gatech.edu>:

Adding a new method in SSLContext so that we can disable renegotiation easier.
This resolves CVE-2009-3555 and attack demoed by thc-ssl-dos

--
assignee: christian.heimes
components: SSL
messages: 307879
nosy: christian.heimes, chuq
priority: normal
severity: normal
status: open
title: Support Disabling Renegotiation for SSLContext
type: enhancement
versions: Python 2.7

___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com