Message 310420 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	alex, cheryl.sabella, christian.heimes, martin.panter, njs, vstinner
Date	2018-01-22.12:06:35
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1516622795.53.0.467229070634.issue27815@psf.upfronthosting.co.za>
In-reply-to

Content
For example an invalid host name should invalidate the session until #31399 is resolved. Any TLS protocol violation should also invalidate the session. If somebody messes with the connection or the TLS protocol encounters a problem during MAC validation, the connection must be considered as tainted. Some exception may be fine. IMO it's still safer hard-close the connection on any exceptions. I agree with you. Let's not guess and ask some experts. I'm having meetings with security engineers from GnuTLS and NSS next week. I'll ask them.

For example an invalid host name should invalidate the session until #31399 is resolved. Any TLS protocol violation should also invalidate the session. If somebody messes with the connection or the TLS protocol encounters a problem during MAC validation, the connection must be considered as tainted.

Some exception may be fine. IMO it's still safer hard-close the connection on any exceptions.

I agree with you. Let's not guess and ask some experts. I'm having meetings with security engineers from GnuTLS and NSS next week. I'll ask them.

History
Date	User	Action	Args
2018-01-22 12:06:35	christian.heimes	set	recipients: + christian.heimes, vstinner, alex, njs, martin.panter, cheryl.sabella
2018-01-22 12:06:35	christian.heimes	set	messageid: <1516622795.53.0.467229070634.issue27815@psf.upfronthosting.co.za>
2018-01-22 12:06:35	christian.heimes	link	issue27815 messages
2018-01-22 12:06:35	christian.heimes	create