Qichao Chu <qc....@gatech.edu> added the comment:
I don't think it is a bug in OpenSSL. For various reasons, certain applications
must allow renegotiation while this leaves security problem for others. That's
why if python can control this flag, applications will be more confident in
dealing with DoS attacks aimed at renegotiation.
This flag controls not only SSL3 but also TLSv1.1 and TLSv1.2 after testing on
Nginx and Gevent.
As of OpenSSL 1.0.2h, in file ssl/s3_lib.c
int ssl3_renegotiate(SSL *s)
{
if (s->handshake_func == NULL)
return (1);
if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
return (0);
s->s3->renegotiate = 1;
return (1);
}
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32257>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
