This bulletin was posted on March 4th, 2019 and has been updated as of March 7th, 2019
On Sunday February 24th the Sanic Community was contacted about a recently
discovered issue when implementing SSL directly through Sanic. The core development
team reviewed options and impact and has identified several remediation paths.
Sanic running under versions of Python prior to 3.7 are impacted by a possible
denial of service whereby the SSL handshake is left in an incomplete state,
causing connection exhaustion or memory exhaustion, preventing further
connections. This is due to Python not implementing a connection timeout for
SSL prior to version 3.7. Ref: https://bugs.python.org/issue29970
Who is affected?
Anyone using Sanic to terminate SSL connections and using Python versions
3.6.x and prior when not using uvloop (installed with SANIC_NO_UVLOOP, as
for example in alpine-based containers)
Remediation options, in order of preference
- Update to Python 3.7 - the fix is included in Python itself
- Terminate SSL at a load balancer or a proxy (such as AWS’ ALB or nginx)
- Implement the patch created by Richard Kuesters - see: https://github.com/vltr/sslproto37
This includes simple examples including how to see the DOS issue. Earlier
revisions indicated an increase on overhead, however we are backporting
the change to 3.7 for the handshake, and so no additional impact is expected.