[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-10 Thread Qichao Chu
Qichao Chu <qc@gatech.edu> added the comment: Thanks Christian! Let's wait for OpenSSL then. I will close this bug for now and reopen when OpenSSL releases 1.1.1 with the new flag. -- resolution: -> later stage: patch review -> resolved status: op

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-10 Thread Qichao Chu
Qichao Chu <qc@gatech.edu> added the comment: How about exposing the internal ssl object? This will allow applications to control the flag. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-10 Thread Qichao Chu
Qichao Chu <qc@gatech.edu> added the comment: Thank you for the investigation. This does seem better than the flag. Shall we go ahead implement this? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-09 Thread Qichao Chu
Qichao Chu <qc@gatech.edu> added the comment: I don't think it is a bug in OpenSSL. For various reasons, certain applications must allow renegotiation while this leaves security problem for others. That's why if python can control this flag, applications will be more confident in d

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-09 Thread Qichao Chu
Qichao Chu <qc@gatech.edu> added the comment: Hi Christian, Thank you for review! I have changed the code to directly setting this flag by using s3->flag. Code is copied from nginx repo: https://github.com/nginx/nginx/blob/ed0cc4d52308b75ab217724392994e6828af4fda/

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu
Change by Qichao Chu <qc@gatech.edu>: -- pull_requests: -4664 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ _

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu
Change by Qichao Chu <qc@gatech.edu>: -- pull_requests: -4665 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ _

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu
Change by Qichao Chu <qc@gatech.edu>: -- pull_requests: +4666 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ _

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu
Change by Qichao Chu <qc@gatech.edu>: -- pull_requests: +4665 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32257> ___ _

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu
Change by Qichao Chu <qc@gatech.edu>: -- keywords: +patch pull_requests: +4664 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.pyt

[issue32257] Support Disabling Renegotiation for SSLContext

2017-12-08 Thread Qichao Chu
New submission from Qichao Chu <qc@gatech.edu>: Adding a new method in SSLContext so that we can disable renegotiation easier. This resolves CVE-2009-3555 and attack demoed by thc-ssl-dos -- assignee: christian.heimes components: SSL messages: 307879 nosy: christian.heimes