[issue32257] Support Disabling Renegotiation for SSLContext
Qichao Chu <qc@gatech.edu> added the comment: Thanks Christian! Let's wait for OpenSSL then. I will close this bug for now and reopen when OpenSSL releases 1.1.1 with the new flag. -- resolution: -> later stage: patch review -> resolved status: open -> closed ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Qichao Chu <qc@gatech.edu> added the comment: How about exposing the internal ssl object? This will allow applications to control the flag. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Qichao Chu <qc@gatech.edu> added the comment: Thank you for the investigation. This does seem better than the flag. Shall we go ahead implement this? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Qichao Chu <qc@gatech.edu> added the comment: I don't think it is a bug in OpenSSL. For various reasons, certain applications must allow renegotiation while this leaves security problem for others. That's why if python can control this flag, applications will be more confident in dealing with DoS attacks aimed at renegotiation. This flag controls not only SSL3 but also TLSv1.1 and TLSv1.2 after testing on Nginx and Gevent. As of OpenSSL 1.0.2h, in file ssl/s3_lib.c int ssl3_renegotiate(SSL *s) { if (s->handshake_func == NULL) return (1); if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return (0); s->s3->renegotiate = 1; return (1); } -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Qichao Chu <qc@gatech.edu> added the comment: Hi Christian, Thank you for review! I have changed the code to directly setting this flag by using s3->flag. Code is copied from nginx repo: https://github.com/nginx/nginx/blob/ed0cc4d52308b75ab217724392994e6828af4fda/src/event/ngx_event_openssl.c. I think this change is still needed. Although OpenSSL claimed it is fixed, THC-SSL-DOS showed it is vulnerable. If this is not the case, then nginx won't need to set the flag. Thanks, Qichao -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Change by Qichao Chu <qc@gatech.edu>: -- pull_requests: -4664 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Change by Qichao Chu <qc@gatech.edu>: -- pull_requests: -4665 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Change by Qichao Chu <qc@gatech.edu>: -- pull_requests: +4666 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Change by Qichao Chu <qc@gatech.edu>: -- pull_requests: +4665 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
Change by Qichao Chu <qc@gatech.edu>: -- keywords: +patch pull_requests: +4664 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32257] Support Disabling Renegotiation for SSLContext
New submission from Qichao Chu <qc@gatech.edu>: Adding a new method in SSLContext so that we can disable renegotiation easier. This resolves CVE-2009-3555 and attack demoed by thc-ssl-dos -- assignee: christian.heimes components: SSL messages: 307879 nosy: christian.heimes, chuq priority: normal severity: normal status: open title: Support Disabling Renegotiation for SSLContext type: enhancement versions: Python 2.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com