Message287875
It's not a bug in Python's ssl module. If I understand David's approach correctly, then he is using the SNI callback the wrong way. By using it the wrong way he has discovered a threading bug in OpenSSL. There is some kind of race condition going on in which two threads free and replace the RSA private key at the same time.
I'm -1 to try to make the SSLContext object magically read-only.
David, which examples did you read? The documentation https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_servername_callback is pretty clear:
A typical use of this callback is to change the ssl.SSLSocket‘s SSLSocket.context attribute to a new object of type SSLContext representing a certificate chain that matches the server name.
Apache mod_ssl does it correctly, the first hit on stack overflow, too. https://stackoverflow.com/questions/5113333/how-to-implement-server-name-indication-sni |
|
Date |
User |
Action |
Args |
2017-02-15 17:54:51 | christian.heimes | set | recipients:
+ christian.heimes, vstinner, David Ford (FirefighterBlu3) |
2017-02-15 17:54:51 | christian.heimes | set | messageid: <1487181291.34.0.215077284234.issue29470@psf.upfronthosting.co.za> |
2017-02-15 17:54:51 | christian.heimes | link | issue29470 messages |
2017-02-15 17:54:51 | christian.heimes | create | |
|