[Python-Dev] Disabling SSL 3.0
A big security breach of SSL 3.0 just dropped a little while ago (named POODLE). With this there is now no ability to securely connect via SSL 3.0. I believe that we should disable SSL 3.0 in Python similarly to how SSL 2.0 is disabled, where it is disabled by default unless the user has explicitly re-enabled it. The new attack essentially allows reading the sensitive data from within a SSL 3.0 connection stream. It takes roughly 256 requests to break a single byte so the attack is very practical. You can read more about the attack here at the google announcement [1] or the whitepaper [2]. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://www.openssl.org/~bodo/ssl-poodle.pdf --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Disabling SSL 3.0
Hi, I opened an issue to track this vulnerability: http://bugs.python.org/issue22638 SSL 3.0 is 8 years old, I guess that TLS is now widely deployed and well supported? I guess that Linux vendors will have to fix the issues directly in OpenSSL directly. Should Python only be changed on Windows? Or do you want to modify Python to disable SSLv3 in the ssl module? OpenSSL provides a SSL_OP_NO_SSLv2 option for SSL context. Is there a SSL_OP_NO_SSLv3 option? Or only change the constructor of ssl.SSLContext? Victor 2014-10-15 1:00 GMT+02:00 Donald Stufft : > A big security breach of SSL 3.0 just dropped a little while ago (named > POODLE). > With this there is now no ability to securely connect via SSL 3.0. I believe > that we should disable SSL 3.0 in Python similarly to how SSL 2.0 is disabled, > where it is disabled by default unless the user has explicitly re-enabled it. > > The new attack essentially allows reading the sensitive data from within a SSL > 3.0 connection stream. It takes roughly 256 requests to break a single byte so > the attack is very practical. You can read more about the attack here at the > google announcement [1] or the whitepaper [2]. > > [1] > http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html > [2] https://www.openssl.org/~bodo/ssl-poodle.pdf > > --- > Donald Stufft > PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > ___ > Python-Dev mailing list > [email protected] > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/victor.stinner%40gmail.com ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Disabling SSL 3.0
On Wed, 15 Oct 2014 01:16:26 +0200 Victor Stinner wrote: > Hi, > > I opened an issue to track this vulnerability: > http://bugs.python.org/issue22638 > > SSL 3.0 is 8 years old, I guess that TLS is now widely deployed and > well supported? > > I guess that Linux vendors will have to fix the issues directly in > OpenSSL directly. Should Python only be changed on Windows? If OpenSSL gets a patch, we can simply update the OpenSSL version used for Windows installers. > Or do you want to modify Python to disable SSLv3 in the ssl module? > OpenSSL provides a SSL_OP_NO_SSLv2 option for SSL context. Is there a > SSL_OP_NO_SSLv3 option? Or only change the constructor of > ssl.SSLContext? Please let's not have this discussion on two different channels. *Either* the bug tracker or the mailing-list. Thank you Antoine. ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Review tool not detecting all changed files
Hi, We were working on IDLE related issue [1] , when I noticed that the review tool does not detect all affected files for the cfg-ext-34-2.diff patch uploaded by Terry Reedy. Version 1 of the same patch does not have this issue - the only difference between the two files being line endings and time stamps. Also see Terry Reedy's message in the same issue. [3] Could someone please let me know if this is normal behavior or not? [1] - http://bugs.python.org/issue3068 [2] - http://bugs.python.org/file36904/cfg-ext-34-2.diff [3] - http://bugs.python.org/issue3068#msg229315 -- Regards Saimadhav Heblikar ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Review tool not detecting all changed files
On 10/14/2014 8:24 PM, Saimadhav Heblikar wrote: Hi, We were working on IDLE related issue [1] , when I noticed that the review tool does not detect all affected files for the cfg-ext-34-2.diff patch uploaded by Terry Reedy. Version 1 of the same patch does not have this issue - the only difference between the two files being line endings and time stamps. Also see Terry Reedy's message in the same issue. [3] Version 3 and 4 also works fine. Could someone please let me know if this is normal behavior or not? [1] - http://bugs.python.org/issue3068 [2] - http://bugs.python.org/file36904/cfg-ext-34-2.diff [3] - http://bugs.python.org/issue3068#msg229315 -- Terry Jan Reedy ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
