On 19.11.2015 09:14, Cory Benfield wrote: > >> On 19 Nov 2015, at 03:53, Ben Bangert <b...@groovie.org> wrote: >> >> In Python 2 and 3, the ssl module's SSLContext object has a way to set >> SSL options, but not to set SSL modes. >> >> The set_mode command and some of the available modes: >> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html >> >> The most critical mode is SSL_MODE_RELEASE_BUFFERS, which can drop the >> SSL overhead *per connection* from around 25kb to ~7kb. The pyopenssl >> library allows the setting of SSLContext modes, it seems very odd that >> the Python 2/3 ssl modules do not. Though I could understand that >> perhaps not all SSL libraries Python might build against would have >> this mode thing available. >> > > Ben, > > Do we need the ability to set arbitrary modes? Most of the modes mentioned in > the OpenSSL documentation are things we actively don’t want the user to set > because stuff will randomly break. With that in mind, and with the fact that > SSL_MODE_RELEASE_BUFFERS is so obviously better than the standard, should we > just instead have the ssl module automatically set SSL_MODE_RELEASE_BUFFERS > unconditionally? > > If so, I’m happy to submit a bug/patch to get that to happen.
The mode should only be enabled for OpenSSL versions which are not affected by this vulnerability: https://www.rapid7.com/db/vulnerabilities/http-openssl-cve-2014-0198 Other than that it seems like a good way forward. Plenty other projects have had this enabled per default for years: http://www.dovecot.org/list/dovecot/2011-October/131381.html https://svn.boost.org/trac/boost/changeset/71706 https://community.openvpn.net/openvpn/ticket/157 -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Nov 19 2015) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ 2015-10-23: Released mxODBC Connect 2.1.5 ... http://egenix.com/go85 ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
