From 4c10e236d949e1fc5efe356387a9e498c7cfec4f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 29 Oct 2013 21:08:56 +0100 Subject: Issue #18747: document issue with OpenSSL's CPRNG state and fork --- Doc/library/os.rst | 4 ++++ Doc/library/ssl.rst | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/Doc/library/os.rst b/Doc/library/os.rst index 715f6543b7..ebba21ac46 100644 --- a/Doc/library/os.rst +++ b/Doc/library/os.rst @@ -1809,6 +1809,10 @@ written in Python, such as a mail server's external command delivery program. Note that some platforms including FreeBSD <= 6.3, Cygwin and OS/2 EMX have known issues when using fork() from a thread. + .. warning:: + + See :mod:`ssl` for applications that use the SSL module with fork(). + Availability: Unix. diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 0f5cea2f0b..56fcc524c8 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -28,6 +28,14 @@ probably additional platforms, as long as OpenSSL is installed on that platform. operating system socket APIs. The installed version of OpenSSL may also cause variations in behavior. +.. warning:: + + OpenSSL's internal random number generator does not properly handle fork. + Applications must change the PRNG state of the parent process if they use + any SSL feature with with :func:`os.fork`. Any successful call of + :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or + :func:`~ssl.RAND_pseudo_bytes` is sufficient. + This section documents the objects and functions in the ``ssl`` module; for more general information about TLS, SSL, and certificates, the reader is referred to the documents in the "See Also" section at the bottom. -- cgit v1.2.1