[issue25672] Unconditionally set SSL_MODE_RELEASE_BUFFERS

2015-11-19 Thread Cory Benfield 

New submission from Cory Benfield:

Originally raised by Ben Bangert on the python-dev mailing list.

It turns out that OpenSSL has a mode setting, SSL_MODE_RELEASE_BUFFERS, that 
can be set by a call to SSK_CTX_set_mode. This mode can potentially reduce 
connection overhead by nearly 18kB *per connection*, a reduction of something 
like 60%. Further, this does not change the behaviour of OpenSSL in any 
meaningful way.

For this reason, we should unconditionally set this mode on all SSL Context 
objects we create.

I'm happy to submit a patch to the standard library that will do this.

--
components: Library (Lib)
messages: 254918
nosy: Lukasa
priority: normal
severity: normal
status: open
title: Unconditionally set SSL_MODE_RELEASE_BUFFERS
versions: Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] Unconditionally set SSL_MODE_RELEASE_BUFFERS

2015-11-19 Thread Cory Benfield 

Cory Benfield added the comment:

Oh, one further requirement: we should *not* set this mode for OpenSSL releases 
1.x through 1.0.1g, which have a NULL pointer dereference vulnerability (CVE 
2014-0198). Thanks to Marc-Andre Lemburg for spotting this.

See also: https://www.rapid7.com/db/vulnerabilities/http-openssl-cve-2014-0198

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com