Message 167336 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	cory.mintz
Recipients	cory.mintz
Date	2012-08-03.15:09:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1344006576.37.0.61147044371.issue15549@psf.upfronthosting.co.za>
In-reply-to

Content
The Python 2.7.3 and 2.6.8 Windows builds are both built against "OpenSSL 0.9.8l 5 Nov 2009". This specific version of OpenSSL had renegotiation removed due a security vulnerability. Except from http://svn.python.org/projects/external/openssl-0.9.8x/NEWS. Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m: ... o Support for RFC5746 TLS renegotiation extension. ... Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l: o Temporary work around for CVE-2009-3555: disable renegotiation. Can the OpenSSL version be updated to at least OpenSSL 0.9.8m so renegotiation is supported?

The Python 2.7.3 and 2.6.8 Windows builds are both built against "OpenSSL 0.9.8l 5 Nov 2009".

This specific version of OpenSSL had renegotiation removed due a security vulnerability. Except from http://svn.python.org/projects/external/openssl-0.9.8x/NEWS.

  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
      ...
      o Support for RFC5746 TLS renegotiation extension.
      ...
  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:

      o Temporary work around for CVE-2009-3555: disable renegotiation.

Can the OpenSSL version be updated to at least OpenSSL 0.9.8m so renegotiation is supported?

History
Date	User	Action	Args
2012-08-03 15:09:36	cory.mintz	set	recipients: + cory.mintz
2012-08-03 15:09:36	cory.mintz	set	messageid: <1344006576.37.0.61147044371.issue15549@psf.upfronthosting.co.za>
2012-08-03 15:09:35	cory.mintz	link	issue15549 messages
2012-08-03 15:09:34	cory.mintz	create