Message 307924 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	chuq
Recipients	christian.heimes, chuq
Date	2017-12-09.21:59:15
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1512856756.02.0.213398074469.issue32257@psf.upfronthosting.co.za>
In-reply-to

Content
I don't think it is a bug in OpenSSL. For various reasons, certain applications must allow renegotiation while this leaves security problem for others. That's why if python can control this flag, applications will be more confident in dealing with DoS attacks aimed at renegotiation. This flag controls not only SSL3 but also TLSv1.1 and TLSv1.2 after testing on Nginx and Gevent. As of OpenSSL 1.0.2h, in file ssl/s3_lib.c int ssl3_renegotiate(SSL *s) { if (s->handshake_func == NULL) return (1); if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return (0); s->s3->renegotiate = 1; return (1); }

I don't think it is a bug in OpenSSL. For various reasons, certain applications must allow renegotiation while this leaves security problem for others. That's why if python can control this flag, applications will be more confident in dealing with DoS attacks aimed at renegotiation.

This flag controls not only SSL3 but also TLSv1.1 and TLSv1.2 after testing on Nginx and Gevent. 

As of OpenSSL 1.0.2h, in file ssl/s3_lib.c

int ssl3_renegotiate(SSL *s)
{
    if (s->handshake_func == NULL)
        return (1);

    if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
        return (0);

    s->s3->renegotiate = 1;
    return (1);
}

History
Date	User	Action	Args
2017-12-09 21:59:16	chuq	set	recipients: + chuq, christian.heimes
2017-12-09 21:59:16	chuq	set	messageid: <1512856756.02.0.213398074469.issue32257@psf.upfronthosting.co.za>
2017-12-09 21:59:16	chuq	link	issue32257 messages
2017-12-09 21:59:15	chuq	create