Microfiber

Merge lp:~jderose/microfiber/crime into lp:microfiber

  1. crime
  2. Merge into trunk
Proposed by Jason Gerard DeRose
Status: Merged
Merged at revision: 149
Proposed branch: lp:~jderose/microfiber/crime
Merge into: lp:microfiber
Diff against target: 58 lines (+9/-0)
2 files modified
microfiber.py (+5/-0)
test_microfiber.py (+4/-0)
To merge this branch: bzr merge lp:~jderose/microfiber/crime
Reviewer Review Type Date Requested Status
David Jordan Approve
Review via email: mp+127145@code.launchpad.net

Description of the change

* Adds Python3.2 monkey patch for ssl.OP_NO_COMPRESSION constant

* build_ssl_context() now sets the options like this:

    ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
    ctx.verify_mode = ssl.CERT_REQUIRED
    ctx.options |= ssl.OP_NO_COMPRESSION

* Updates build_ssl_context() tests to check ctx.options

To post a comment you must log in.
Revision history for this message
Jason Gerard DeRose (jderose) wrote :

Oh, one more thing: I've done some out-of-band tests with Apache and mod_wsgi to confirm that setting ssl.OP_NO_COMPRESSION on the client-side indeed results in compression being disabled, even when it's not disabled on the server.

Revision history for this message
David Jordan (dmj726) wrote :

Thanks! This'll be good to ensure security, though I suspect there wasn't much of a vulnerability here.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'microfiber.py'
--- microfiber.py 2012-09-26 09:01:57 +0000
+++ microfiber.py 2012-09-30 09:27:21 +0000
@@ -59,6 +59,10 @@
59import math59import math
60import platform60import platform
6161
62# Monkey patch python3.2 to add ssl.OP_NO_COMPRESSION available in python3.3:
63if not hasattr(ssl, 'OP_NO_COMPRESSION'):
64 ssl.OP_NO_COMPRESSION = 131072
65
6266
63__all__ = (67__all__ = (
64 'random_id',68 'random_id',
@@ -519,6 +523,7 @@
519def build_ssl_context(config):523def build_ssl_context(config):
520 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)524 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
521 ctx.verify_mode = ssl.CERT_REQUIRED525 ctx.verify_mode = ssl.CERT_REQUIRED
526 ctx.options |= ssl.OP_NO_COMPRESSION # Protect against CRIME-like attacks
522527
523 # Configure certificate authorities used to verify server certs528 # Configure certificate authorities used to verify server certs
524 if 'ca_file' in config or 'ca_path' in config:529 if 'ca_file' in config or 'ca_path' in config:
525530
=== modified file 'test_microfiber.py'
--- test_microfiber.py 2012-09-25 07:29:00 +0000
+++ test_microfiber.py 2012-09-30 09:27:21 +0000
@@ -372,6 +372,7 @@
372 self.assertIsInstance(ctx, ssl.SSLContext)372 self.assertIsInstance(ctx, ssl.SSLContext)
373 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)373 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
374 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)374 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
375 self.assertEqual(ctx.options, ssl.OP_ALL | ssl.OP_NO_COMPRESSION)
375376
376 # Provide ca_file377 # Provide ca_file
377 config = {378 config = {
@@ -381,6 +382,7 @@
381 self.assertIsInstance(ctx, ssl.SSLContext)382 self.assertIsInstance(ctx, ssl.SSLContext)
382 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)383 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
383 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)384 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
385 self.assertEqual(ctx.options, ssl.OP_ALL | ssl.OP_NO_COMPRESSION)
384386
385 # Provide cert_file and key_file (uses openssl default ca_path)387 # Provide cert_file and key_file (uses openssl default ca_path)
386 config = {388 config = {
@@ -391,6 +393,7 @@
391 self.assertIsInstance(ctx, ssl.SSLContext)393 self.assertIsInstance(ctx, ssl.SSLContext)
392 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)394 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
393 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)395 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
396 self.assertEqual(ctx.options, ssl.OP_ALL | ssl.OP_NO_COMPRESSION)
394397
395 # Provide all three398 # Provide all three
396 config = {399 config = {
@@ -402,6 +405,7 @@
402 self.assertIsInstance(ctx, ssl.SSLContext)405 self.assertIsInstance(ctx, ssl.SSLContext)
403 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)406 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
404 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)407 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
408 self.assertEqual(ctx.options, ssl.OP_ALL | ssl.OP_NO_COMPRESSION)
405409
406 # Provide junk ca_file, make sure ca_file is actually being used410 # Provide junk ca_file, make sure ca_file is actually being used
407 config = {411 config = {

Subscribers

People subscribed via source and target branches