Microfiber

Merge lp:~jderose/microfiber/crime into lp:microfiber

  1. crime
  2. Merge into trunk
Proposed by Jason Gerard DeRose
Status: Merged
Merged at revision: 149
Proposed branch: lp:~jderose/microfiber/crime
Merge into: lp:microfiber
Diff against target: 58 lines (+9/-0)
2 files modified
microfiber.py (+5/-0)
test_microfiber.py (+4/-0)
To merge this branch: bzr merge lp:~jderose/microfiber/crime
Reviewer Review Type Date Requested Status
David Jordan Approve
Review via email: mp+127145@code.launchpad.net

Description of the change

* Adds Python3.2 monkey patch for ssl.OP_NO_COMPRESSION constant

* build_ssl_context() now sets the options like this:

    ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
    ctx.verify_mode = ssl.CERT_REQUIRED
    ctx.options |= ssl.OP_NO_COMPRESSION

* Updates build_ssl_context() tests to check ctx.options

To post a comment you must log in.
Revision history for this message
Jason Gerard DeRose (jderose) wrote :

Oh, one more thing: I've done some out-of-band tests with Apache and mod_wsgi to confirm that setting ssl.OP_NO_COMPRESSION on the client-side indeed results in compression being disabled, even when it's not disabled on the server.

Revision history for this message
David Jordan (dmj726) wrote :

Thanks! This'll be good to ensure security, though I suspect there wasn't much of a vulnerability here.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'microfiber.py'
2--- microfiber.py 2012-09-26 09:01:57 +0000
3+++ microfiber.py 2012-09-30 09:27:21 +0000
4@@ -59,6 +59,10 @@
5 import math
6 import platform
7
8+# Monkey patch python3.2 to add ssl.OP_NO_COMPRESSION available in python3.3:
9+if not hasattr(ssl, 'OP_NO_COMPRESSION'):
10+ ssl.OP_NO_COMPRESSION = 131072
11+
12
13 __all__ = (
14 'random_id',
15@@ -519,6 +523,7 @@
16 def build_ssl_context(config):
17 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
18 ctx.verify_mode = ssl.CERT_REQUIRED
19+ ctx.options |= ssl.OP_NO_COMPRESSION # Protect against CRIME-like attacks
20
21 # Configure certificate authorities used to verify server certs
22 if 'ca_file' in config or 'ca_path' in config:
23
24=== modified file 'test_microfiber.py'
25--- test_microfiber.py 2012-09-25 07:29:00 +0000
26+++ test_microfiber.py 2012-09-30 09:27:21 +0000
27@@ -372,6 +372,7 @@
28 self.assertIsInstance(ctx, ssl.SSLContext)
29 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
30 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
31+ self.assertEqual(ctx.options, ssl.OP_ALL | ssl.OP_NO_COMPRESSION)
32
33 # Provide ca_file
34 config = {
35@@ -381,6 +382,7 @@
36 self.assertIsInstance(ctx, ssl.SSLContext)
37 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
38 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
39+ self.assertEqual(ctx.options, ssl.OP_ALL | ssl.OP_NO_COMPRESSION)
40
41 # Provide cert_file and key_file (uses openssl default ca_path)
42 config = {
43@@ -391,6 +393,7 @@
44 self.assertIsInstance(ctx, ssl.SSLContext)
45 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
46 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
47+ self.assertEqual(ctx.options, ssl.OP_ALL | ssl.OP_NO_COMPRESSION)
48
49 # Provide all three
50 config = {
51@@ -402,6 +405,7 @@
52 self.assertIsInstance(ctx, ssl.SSLContext)
53 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
54 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
55+ self.assertEqual(ctx.options, ssl.OP_ALL | ssl.OP_NO_COMPRESSION)
56
57 # Provide junk ca_file, make sure ca_file is actually being used
58 config = {

Subscribers

People subscribed via source and target branches