Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #91201

Re: Query on Python 3.2 and supported OpenSSL Versions

Date 2015-05-25 12:07 +0100
From Simon Ward <simon+python@bleah.co.uk>
Subject Re: Query on Python 3.2 and supported OpenSSL Versions
References <867F5C4940403B47B2474432369BAF790FFBD992@ESESSMB309.ericsson.se>
Newsgroups comp.lang.python
Message-ID <mailman.36.1432553047.5151.python-list@python.org> (permalink)

Show all headers | View raw

On Mon, May 25, 2015 at 09:33:06AM +0000, Donal Duane wrote:
> 
> Hi Python Users,
> 
> I was hoping you might be able to assist me with a query:
> 
> 2 Questions:
> 
> 
> 1.       Could Python 3.2, when compiled against OpenSSL 1.0.0j, be
> affected by the poodle bug?
> https://www.openssl.org/~bodo/ssl-poodle.pdf

Yes, POODLE is two things:

 1. Due to client‐side fallback mechanisms outside of SSL and TLS, it
    is possible to force a client to connect with a different version of
    the protocol, i.e. a protocol downgrade.

 2. Due to the way padding is implemented in SSL 3.0 there is a padding
    oracle attack on CBC mode ciphers. This affects all implementations
    of SSL 3.0, and some of TLS 1.0 (but not OpenSSL).

All versions of OpenSSL (that support SSL 3.0) are affected by (2)
because it is inherent in the protocol. The fix is not to allow SSL, and
enable the latest versions of TLS.

Later versions of OpenSSL (0.9.8zc, 1.0.0o, 1.0.1j) added a workaround,
the TLS_FALLBACK_SCSV mechanism, which allows clients to specify when
they have falled back to an earlier version, preventing downgrade
attacks (1). It only works if the both the client and server support the
mechanism, and if SSL 3.0 is used it is still affected by the padding
oracle attack (2).

> 2.       If yes - are the following OpenSSL versions  approved for use
> with Python 3.2:

I can’t answer for approved but I have builds of Python than use OpenSSL
0.9.8 and 1.0.1 and it should build against any version in these
branches. I also have pyOpenSSL built against these branches.

Simon
-- 
A complex system that works is invariably found to have evolved from a
simple system that works.—John Gall

Back to comp.lang.python | Previous | Next | Find similar | Unroll thread

Thread

Re: Query on Python  3.2 and supported OpenSSL Versions Simon Ward <simon+python@bleah.co.uk> - 2015-05-25 12:07 +0100

csiph-web