Author chuq
Recipients christian.heimes, chuq
Date 2017-12-09.21:59:15
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1512856756.02.0.213398074469.issue32257@psf.upfronthosting.co.za>
In-reply-to
Content
I don't think it is a bug in OpenSSL. For various reasons, certain applications must allow renegotiation while this leaves security problem for others. That's why if python can control this flag, applications will be more confident in dealing with DoS attacks aimed at renegotiation.

This flag controls not only SSL3 but also TLSv1.1 and TLSv1.2 after testing on Nginx and Gevent. 

As of OpenSSL 1.0.2h, in file ssl/s3_lib.c

int ssl3_renegotiate(SSL *s)
{
    if (s->handshake_func == NULL)
        return (1);

    if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
        return (0);

    s->s3->renegotiate = 1;
    return (1);
}
History
Date User Action Args
2017-12-09 21:59:16chuqsetrecipients: + chuq, christian.heimes
2017-12-09 21:59:16chuqsetmessageid: <1512856756.02.0.213398074469.issue32257@psf.upfronthosting.co.za>
2017-12-09 21:59:16chuqlinkissue32257 messages
2017-12-09 21:59:15chuqcreate