Changes by Ned Deily n...@acm.org:
--
nosy: +ned.deily
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13631
___
___
Python-bugs-list mailing list
Charles-François Natali neolo...@free.fr added the comment:
I'm personally +1 on removing the verbose thing altogether:
- it's ugly
- I doubt it's really useful (I mean, printing to stderr - which is often line
buffered or unbuffered - upon every action will probably change the timing)
- it
Charles-François Natali neolo...@free.fr added the comment:
I think this could be due to the multiprocessing manager's server socket
backlog value, which is a little too low: by default, it's set to 5, and the
tests launch up to 3 threads and 3 processes in parallel, so if we're unlucky
with
Charles-François Natali neolo...@free.fr added the comment:
Probably because I'm a threading/multiprocessing neophyte :)
That's a very good reason :-)
Here's a version using two multiprocessing events. Note that I use
timeouts for wait() just to avoid being stuck if something goes wrong:
the
Antoine Pitrou pit...@free.fr added the comment:
Here is a patch adding a set_ecdh_curve() method on SSL contexts, and a
ssl.OP_SINGLE_ECDH_USE option flag. This is enough to enable ECDH with
compatible clients (I've tested with Firefox and openssl s_client).
--
keywords: +patch
Antoine Pitrou pit...@free.fr added the comment:
Charles-François's patch looks good to me.
--
nosy: +pitrou
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11867
___
naif n...@globaleaks.org added the comment:
So, with this patch it should be possible to strictly enable ciphers such as:
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-SHASSLv3
naif n...@globaleaks.org added the comment:
Wow, i saw your patch for ECC SSL ciphers on http://bugs.python.org/issue13627 .
Do you think we can use the same method/concept as ssl.OP_SINGLE_ECDH_USE but
ssl.OP_SINGLE_DH_USE for DH?
--
___
Python
New submission from naif n...@globaleaks.org:
TLSv1 support compression with gzip/deflate that can provide for a lot of
protocols a great improvement (just think about SIP/TLS or IMAP) in terms of
bandwidth.
Currenly Python SSL stack based on OpenSSL doesn't allow the configuration
New submission from naif n...@globaleaks.org:
The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a
specific list of preference.
This is a requirement for strict security environment where the ordered cipher
list it's very important.
Apache support the ordering of
Antoine Pitrou pit...@free.fr added the comment:
So, with this patch it should be possible to strictly enable ciphers such as:
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-SHA
Antoine Pitrou pit...@free.fr added the comment:
Wow, i saw your patch for ECC SSL ciphers on
http://bugs.python.org/issue13627 .
Do you think we can use the same method/concept as
ssl.OP_SINGLE_ECDH_USE but ssl.OP_SINGLE_DH_USE for DH?
Of course.
--
naif n...@globaleaks.org added the comment:
In the meantime i added two other tickets on security and performance
improvements of Python SSL support, to make it really complete and comparable
to Apache/Dovecot/PHP in terms of configuration and capability:
Python SSL stack doesn't support
Antoine Pitrou pit...@free.fr added the comment:
Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?
--
nosy: +pitrou
type: security - enhancement
versions: -Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.4
___
naif n...@globaleaks.org added the comment:
The Tor Project is composed of Cryptography experts, thus i am opening that
ticket cause with our group we're implementing Tor2web based on Python that
require *strict* security requirements for crypto.
The Tor Project heavily use Python for most of
naif n...@globaleaks.org added the comment:
Looking at the code from mod_ssl i would say that this is the preference
required https://issues.apache.org/bugzilla/show_bug.cgi?id=28665
--
___
Python tracker rep...@bugs.python.org
Antoine Pitrou pit...@free.fr added the comment:
So, there are two things here:
- allow to disable compression (it's enabled by default AFAICT) using the
SSL_OP_NO_COMPRESSION flag
- allow to query compression status on SSL sockets using the
SSL_get_current_compression() API
--
nosy:
New submission from naif n...@globaleaks.org:
By default the Python SSL/TLS Stack (client/server) expose unsecure protocols
(SSLv2) and unsecure ciphers (EXPORT 40bit DES).
This ticket is about defining a set of secure ciphers that should also provide
maximum performance and compatibility, in
Antoine Pitrou pit...@free.fr added the comment:
If you want we can open a discussion within Tor Project to have a
rationale method to define a set of default ciphers considering
the ration of security/performance/compatibility.
Why don't you simple define your own default ciphers and call
naif n...@globaleaks.org added the comment:
Created a ticket there for a default-setting:
Python SSL Stack doesn't have a Secure Default set of ciphers
http://bugs.python.org/issue13636
--
___
Python tracker rep...@bugs.python.org
Antoine Pitrou pit...@free.fr added the comment:
As I said, I don't think maintaining an explicit list of ciphers ourselves is
reasonable, since there are no crypto experts (AFAICT) amongst the Python core
developers.
Also, maintaining an explicit list of ciphers means people wouldn't benefit
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset c6d41dd60d2d by Charles-François Natali in branch '2.7':
Issue #11867: Make test_mailbox.test_lock_conflict deterministic (and fix a
http://hg.python.org/cpython/rev/c6d41dd60d2d
New changeset 0053b7c68a02 by
naif n...@globaleaks.org added the comment:
From Antoine Pitrou (pitrou):
Why don't you simple define your own default ciphers and call the
set_ciphers() method?
That said, we could perhaps call set_ciphers(HIGH) by default. This
excludes legacy ciphers (such as RC4, DES) without having us
Antoine Pitrou pit...@free.fr added the comment:
Actually, it seems we want 'HIGH:!aNULL:!eNULL' to avoid non-encrypted and
non-authenticated ciphers.
That way (but this is an approach to be discussed) we will pick-up
a set of widely secure ciphers
Please read my message above and
Antoine Pitrou pit...@free.fr added the comment:
Here is a possible patch for 3.2.
Probably needs a doc addition as well.
--
keywords: +patch
stage: needs patch - patch review
versions: +Python 2.7
Added file: http://bugs.python.org/file24051/default_ciphers.patch
naif n...@globaleaks.org added the comment:
Ok for:
'HIGH:!aNULL:!eNULL'
but also:
- Disable SSLv2
- Enable ECC/ECDHE by default
- Enable DH/DHE by default
With this in place, i would then suggest to see which is the Default ordered
list of ciphers with an SSL cipher scanner/wireshark.
Then
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default':
Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
http://hg.python.org/cpython/rev/c706f76c9ea8
--
nosy: +python-dev
Antoine Pitrou pit...@free.fr added the comment:
- Disable SSLv2
It should be disabled automatically since the SSLv2 cipher suites are not part
of HIGH: see
http://www.openssl.org/docs/apps/ciphers.html#SSL_v2_0_cipher_suites_
- Enable ECC/ECDHE by default
- Enable DH/DHE by default
Antoine Pitrou pit...@free.fr added the comment:
The new option is now committed in 3.3. Thanks for the report!
--
resolution: - fixed
stage: - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
Charles-François Natali neolo...@free.fr added the comment:
Should be fixed now, thanks!
--
resolution: - fixed
stage: patch review - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset 0b03cb97dac0 by Victor Stinner in branch '3.2':
Issue #13628: python-gdb.py is now able to retrieve more frames in the Python
http://hg.python.org/cpython/rev/0b03cb97dac0
New changeset 5e3a172bba89 by Victor
naif n...@globaleaks.org added the comment:
To disable SSLv2 you must specifically disable it.
Look, i tried a server we're working on http://github.com/hellais/tor2web
that's running on:
privacyresearch.infosecurity.ch port
With 'HIGH:!aNULL:!eNULL' SSLv2 can connect:
openssl s_client
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset 1cc8e9565339 by Victor Stinner in branch '2.7':
Issue #13628: python-gdb.py is now able to retrieve more frames in the Python
http://hg.python.org/cpython/rev/1cc8e9565339
--
STINNER Victor victor.stin...@haypocalc.com added the comment:
It is possible to retrieve f from the caller, PyEval_EvalCodeEx()
It does not always work, but it works sometimes, so it's better to try :-)
I applied my fix to Python 2.7, 3.2 and 3.3. lipython.py of Python 2.7 is
outdated, it
Antoine Pitrou pit...@free.fr added the comment:
We must disable SSLv1 with !SSLv2, for example i am using just now
'HIGH:!aNULL:!eNULL:!SSLv2:@STRENGTH' .
Ok, thanks for the investigation. I think HIGH:!aNULL:!eNULL:!SSLv2 is
sufficient.
--
___
naif n...@globaleaks.org added the comment:
Yes, i can do the test for the ordered set of ciphers with all the patches
in-place, can build a custom python 3.2 with the patch applied.
I would suggest to try to keep ECC/ECDH/ECDHE enabled, conceptually we would
like to have ECDHE as the first
naif n...@globaleaks.org added the comment:
About ECDHE use as a default, prioritized key exchange method, google is using
it along with RC4:
http://www.julianevansblog.com/2011/11/https-encryption-increased-for-gmail-and-google.html
--
___
Python
naif n...@globaleaks.org added the comment:
We could also disable all the ciphers that use MD5 for authentication:
MD5 has been disabled for SSL use due to it's weakness by:
- Firefox (All mozilla products now refuse any MD5 ciphers)
naif n...@globaleaks.org added the comment:
It would be also useful to Sort the order of ciphers by it's strength.
This is done by the parameter @STRENGTH :
From http://www.openssl.org/docs/apps/ciphers.html
Additionally the cipher string @STRENGTH can be used at any point to sort the
Antoine Pitrou pit...@free.fr added the comment:
MD5 has been disabled for SSL use due to it's weakness by:
Apparently MD5 is already disabled by HIGH:!SSLv2.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13636
Antoine Pitrou pit...@free.fr added the comment:
I would suggest to try to keep ECC/ECDH/ECDHE enabled, conceptually
we would like to have ECDHE as the first ciphers because it's the most
modern, performance and secure.
However, this will also divide performance by a large factor (from 2x
naif n...@globaleaks.org added the comment:
I confirm, tested HIGH:!SSLv2 and MD5 cannot be negotiated.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13636
___
Antoine Pitrou pit...@free.fr added the comment:
Here is a patch.
--
keywords: +patch
stage: needs patch - patch review
Added file: http://bugs.python.org/file24052/compression.patch
___
Python tracker rep...@bugs.python.org
Antoine Pitrou pit...@free.fr added the comment:
(note that some OpenSSLs are built without compression, such as Mageia's)
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13634
___
Antoine Pitrou pit...@free.fr added the comment:
About ECDHE use as a default, prioritized key exchange method, google
is using it along with RC4:
Hmmm... do note that RC4 is disabled with HIGH.
--
___
Python tracker rep...@bugs.python.org
Changes by Antoine Pitrou pit...@free.fr:
--
keywords: +easy, needs review -patch
nosy: +georg.brandl
stage: - patch review
versions: +Python 3.3
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13620
Charles-François Natali neolo...@free.fr added the comment:
Another failure on an OpenIndiana buildbot:
==
ERROR: testTimeoutConnect (test.test_ftplib.TestTimeouts)
Antoine Pitrou pit...@free.fr added the comment:
File /var/lib/buildslave/3.x.murray-gentoo/build/Lib/socket.py, line 275,
in readinto
raise IOError(cannot read from timed out object)
OSError: cannot read from timed out object
Ah, annoying. The NNTP tests use a single connection, and
Antoine Pitrou pit...@free.fr added the comment:
Jesus is the OpenIndiana buildbots' administrator.
--
nosy: +jcea
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13453
___
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset 2228d985fdcc by Charles-François Natali in branch '2.7':
Issue #13453: Try to increase some socket timeouts to make some buildbots stop
http://hg.python.org/cpython/rev/2228d985fdcc
New changeset d7daf98c068e by
Changes by Antoine Pitrou pit...@free.fr:
--
nosy: +flox, haypo
versions: +Python 3.2, Python 3.3
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13612
___
Antoine Pitrou pit...@free.fr added the comment:
Thanks for the patch. Two things:
- there is a compilation warning using gcc:
/home/antoine/cpython/default/Modules/_sqlite/row.c: In function
‘pysqlite_row_subscript’:
/home/antoine/cpython/default/Modules/_sqlite/row.c:128:26: attention :
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset 71e5a083f9b1 by Antoine Pitrou in branch '3.2':
Issue #5424: add tests for inet_ntoa, inet_ntop, inet_aton and inet_pton.
http://hg.python.org/cpython/rev/71e5a083f9b1
New changeset a3d5f522065f by Antoine Pitrou in
Antoine Pitrou pit...@free.fr added the comment:
I have finally committed the patch. Thank you!
--
resolution: - fixed
stage: patch review - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
Changes by Antoine Pitrou pit...@free.fr:
--
nosy: +rhettinger
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6743
___
___
Python-bugs-list mailing
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset 8b729d65cfd2 by Antoine Pitrou in branch 'default':
Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman
http://hg.python.org/cpython/rev/8b729d65cfd2
--
nosy: +python-dev
Antoine Pitrou pit...@free.fr added the comment:
Patch now committed in 3.3.
--
resolution: - fixed
stage: patch review - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
New submission from Antoine Pitrou pit...@free.fr:
a2b_hex and friends accept only byte strings:
binascii.a2b_hex(b'00')
b'\x00'
binascii.a2b_hex('00')
Traceback (most recent call last):
File stdin, line 1, in module
TypeError: 'str' does not support the buffer interface
But they could
New submission from Antoine Pitrou pit...@free.fr:
Its declaration can be found in Include/pyerrors.h.
Same for PyErr_SetExcFromWindowsErrWithFilenameObject.
--
assignee: docs@python
components: Documentation
messages: 149877
nosy: arnaudc, docs@python, haypo, pitrou
priority: normal
Jason R. Coombs jar...@jaraco.com added the comment:
I meant to paste the repro with distutils.core:
python -c from distutils.core import setup; setup(name=u'foo') sdist
--formats gztar
--
___
Python tracker rep...@bugs.python.org
Jason R. Coombs jar...@jaraco.com added the comment:
This error is also encountered if the package name is unicode. The error can be
simply reproduced with this command:
python -c from setuptools import setup; setup(name=u'foo') sdist --formats
gztar
The error also occurs with the bdist
Antoine Pitrou pit...@free.fr added the comment:
Here is a patch adding the load_dh_params method on SSL contexts, and the
OP_SINGLE_DH_USE option flag.
--
keywords: +patch
stage: needs patch - patch review
Added file: http://bugs.python.org/file24053/dh.patch
Roger Serwy roger.se...@gmail.com added the comment:
IDLE does have a color scheme configuration for found as listed in the
highlighting config dialog and internally as the Tkinter Text tag hit. This
looks like the stubs for functionality that never got implemented.
Take a look at the
David Butler croe...@gmail.com added the comment:
sorry for the delay, I had to wait until the problem occurred again...
I gdb'ed into the process again, the backtrace is a little different this
time...
(gdb) bt
#0 0xb76adfc6 in update_refs (containers=optimized out) at
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset 50267d2bb320 by Giampaolo Rodola' in branch 'default':
(bug #8684) fix 'fedora without thread buildbot' as per
http://bugs.python.org/issue8684
http://hg.python.org/cpython/rev/50267d2bb320
--
Giampaolo Rodola' g.rod...@gmail.com added the comment:
This should now be fixed. Thanks for signaling.
--
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue8684
___
Arnaud Calmettes calmettes.arn...@gmail.com added the comment:
Hi.
The patch works fine on my box with Chromium 16 under Archlinux.
However, I think it might not work under Ubuntu or Debian, since the program is
named chromium-browser on these distros, and it is missing from the list of
Changes by Ned Deily n...@acm.org:
--
nosy: +haypo
stage: - patch review
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13051
___
___
Changes by Oleg Broytman p...@phdru.name:
Removed file: http://bugs.python.org/file23986/webbrowser.py.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13620
___
Oleg Broytman p...@phdru.name added the comment:
I updated the patch. Thank you for reviewing!
--
keywords: +patch
Added file: http://bugs.python.org/file24055/webbrowser.py.patch
___
Python tracker rep...@bugs.python.org
Geoffrey Bache gjb1...@users.sourceforge.net added the comment:
I'm hesitant to make it line-buffered by default when directed to a
file, since this could significantly slow down a program that for some
reason produces super-voluminous output (e.g. when running a program
with heavy debug
Geoffrey Bache gjb1...@users.sourceforge.net added the comment:
The changes are good as far as they go, but they only affect the documentation
of sys.stderr and sys.stdout.
I also suggested changes to the documentation of the -u flag, and to What's
New in Python 3.0, can someone look at that
Geoffrey Bache gjb1...@users.sourceforge.net added the comment:
I think we all agree line-buffering is sufficient, so I change the title.
--
title: sys.stderr should be unbuffered (or always line-buffered) - sys.stderr
should always be line-buffered
Arnaud Calmettes calmettes.arn...@gmail.com added the comment:
The new patch works under Ubuntu but not not under Archlinux anymore (where the
program is named chromium).
Here is a patch that works with python 3.3 under both distributions.
--
Added file:
Changes by Oleg Broytman p...@phdru.name:
Removed file: http://bugs.python.org/file24055/webbrowser.py.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13620
___
Oleg Broytman p...@phdru.name added the comment:
I'm fine with that version.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13620
___
___
Brian Curtin br...@python.org added the comment:
Would you be able to produce a unit test which fails before your patch is
applied, but succeeds after applying your changes? That'll make your changes
more likely to get accepted.
--
nosy: +brian.curtin
Arnaud Calmettes calmettes.arn...@gmail.com added the comment:
Here is a patch against the 3.3 documentation, mentionning the new supported
browser types.
--
Added file: http://bugs.python.org/file24057/webbrowser_doc.patch
___
Python tracker
Stan Cox s...@redhat.com added the comment:
systemtap doesn't have have a ustack helper, but if the frame pointer were
provided to PYTHON_FUNCTION_ENTRY, then it could be cached to provide python
stack frame access.
--- Python/ceval.c.12011-12-07 11:18:03.733659382 -0500
+++
Jesús Cea Avión j...@jcea.es added the comment:
It seems to be a real infinite loop. Bad thing. Could be a bug in an extension,
difficult to say.
This is going to be VERY difficult to debug without a reproductible case we can
try.
Could you possibly check the object type of the infinite loop
New submission from Jason R. Coombs jar...@jaraco.com:
python -c import tarfile; tarfile.open(u'hello.tar.gz', 'w|gz')
produces
Traceback (most recent call last):
File string, line 1, in module
File C:\Users\jaraco\projects\public\cpython\Lib\tarfile.py, line 1687, in
open
Jason R. Coombs jar...@jaraco.com added the comment:
I believe the underlying cause of this issue is #13639.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11638
___
Changes by Jesús Cea Avión j...@jcea.es:
--
nosy: +jcea
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13634
___
___
Python-bugs-list mailing list
Changes by Jesús Cea Avión j...@jcea.es:
--
nosy: +jcea
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13635
___
___
Python-bugs-list mailing list
Changes by Jesús Cea Avión j...@jcea.es:
--
nosy: +jcea
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13636
___
___
Python-bugs-list mailing list
New submission from Hiroaki Kawai hiroaki.ka...@gmail.com:
Add application/vnd.apple.mpegurl, which is used by smartphones recently.
It is registered in IANA :
http://www.iana.org/assignments/media-types/application/vnd.apple.mpegurl
An application is described in
Jason R. Coombs jar...@jaraco.com added the comment:
I've created a repo to continue this work. I've integrated David's patch
(thanks).
It's not obvious to me what the encoding should be. Python and the tarfile
module can accept unicode filenames. It seems that only the gzip part of
tarfile
Changes by Jason R. Coombs jar...@jaraco.com:
Added file: http://bugs.python.org/file24059/9e9ea96eb0dd.diff
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11638
___
David Butler croe...@gmail.com added the comment:
2011/12/19 Jesús Cea Avión rep...@bugs.python.org
I am willing to work toward a simplified test case, but its going to be
difficult, I am hoping that I can narrow down the source of the problem...
Forgive me, I'm gdb is actually a new thing to
Jesús Cea Avión j...@jcea.es added the comment:
Instrumentalize: check for this pathological case (an object with a GC pointer
back to itself) in the code that modify the GC pointers. Lets say, everytime
code change the pointers, you test for this. Luckily you can learn the codepath
creating
Jesús Cea Avión j...@jcea.es added the comment:
David, if you get desperate, let us know. If you can deal with Mercurial and
compiling Python code, I could post a mercurial repository/branch with code
modifications to help you to debug this.
But it is almost Christmas and I am VERY busy and
Duncan Findlay dun...@duncf.ca added the comment:
I've been digging into this quite a bit, and I've been able to dig up a little
more info.
* In Python 2.1, the behavior was very similar to what we have now -- signals
were not blocked. http://bugs.python.org/issue465673 was filed reporting
Antoine Pitrou pit...@free.fr added the comment:
1. On FreeBSD, we must assume that every blocking system call, in *every
thread*, can be interrupted, and we need to catch EINTR.
2. On FreeBSD, we cannot block indefinitely in the main thread and expect to
handle signals. This means
93 matches
Mail list logo