Discussion:
Python ssl handling could be better...
(too old to reply)
dave b
2010-09-29 15:12:29 UTC
Permalink
Python ssl handling could be better...
See http://bugs.python.org/issue1589 for more information.

The for example following are vulnerable:
1. hg http://mercurial.selenic.com/bts/issue2407
2. bzr (only if pycurl isn't installed - which by default it isn't)
https://bugs.edge.launchpad.net/bzr/+bug/651161
3. libcloud http://github.com/apache/libcloud/issues/issue/2
4. linode-python http://github.com/tjfontaine/linode-python/issues#issue/1

This full disclosure posting is to get more people to be aware of
these issues so they can *fix* or not *make* them in the future.

--
This night methinks is but the daylight sick. -- William Shakespeare,
"The Merchant of Venice"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
dave b
2010-09-29 15:28:54 UTC
Permalink
%s/^The//g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
dave b
2010-09-29 19:59:53 UTC
Permalink
Thanks Dave.
Out of curiosity, did you burn any bridges, or is this OK for Free
Software/Open Source software? If I did the same in private industry,
I would probably be fired :/
Sorry I will only reply on the list.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
dave b
2010-11-14 16:54:29 UTC
Permalink
Just when you thought it couldn't get worse...

http://bugs.python.org/issue3596
http://bugs.python.org/issue4870

So now the programmer still needs to say OH disable sslv2 (or doesn't
select sslv2) but by default it will be enabled.

The python doc says this:
ssl.PROTOCOL_SSLv23

Selects SSL version 2 or 3 as the channel encryption protocol.
This is a setting to use with servers for maximum compatibility with
the other end of an SSL connection, but it may cause the specific
ciphers chosen for the encryption to be of fairly low quality.

and above this:

ssl.PROTOCOL_SSLv2

Selects SSL version 2 as the channel encryption protocol.

Warning

SSL version 2 is insecure. Its use is highly discouraged.


But the default is to use PROTOCOL_SSLv23.
So if looking back at the mercurial source code we have in mercurial/url.py

# avoid using deprecated/broken FakeSocket in python 2.6
import ssl
_ssl_wrap_socket = ssl.wrap_socket
CERT_REQUIRED = ssl.CERT_REQUIRED
except ImportError:
CERT_REQUIRED = 2
...



and then for some use...
def connect(self):
if has_https and self.realhostport: # use CONNECT proxy
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect((self.host, self.port))
if _generic_proxytunnel(self):
# we do not support client x509 certificates
self.sock = _ssl_wrap_socket(self.sock, None, None)


ssl.OP_NO_SSLv2 is now in python 3.2 but it isn't 'on' by default.
"SSL version 2 is considered insecure and is therefore dangerous to
use. If you want maximum compatibility between clients and servers, it
is recommended to use PROTOCOL_SSLv23 as the protocol version and then
disable SSLv2 explicitly using the SSLContext.options attribute:"



http://svn.python.org/view/python/trunk/Lib/ssl.py?revision=80557&view=markup

class SSLSocket(socket):

"""This class implements a subtype of socket.socket that wraps
the underlying OS socket in an SSL context when necessary, and
provides read and write methods over that channel."""

def __init__(self, sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,

....

def wrap_socket(sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,


...

def sslwrap_simple(sock, keyfile=None, certfile=None):

"""A replacement for the old socket.ssl function. Designed
for compability with Python 2.5 and earlier. Will disappear in
Python 3.0."""

if hasattr(sock, "_sock"):
sock = sock._sock

ssl_sock = _ssl.sslwrap(sock, 0, keyfile, certfile, CERT_NONE,
PROTOCOL_SSLv23, None)


--
There's small choice in rotten apples. -- William Shakespeare, "The
Taming of the Shrew"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...