http://hg.python.org/cpython/rev/98eb88d3d94e changeset: 87622:98eb88d3d94e user: Christian Heimes <christian@cheimes.de> date: Thu Nov 28 08:06:54 2013 +0100 summary: ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME files: Lib/ssl.py | 2 ++ Misc/NEWS | 2 ++ 2 files changed, 4 insertions(+), 0 deletions(-) diff --git a/Lib/ssl.py b/Lib/ssl.py --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -383,6 +383,8 @@ context = SSLContext(PROTOCOL_TLSv1) # SSLv2 considered harmful. context.options |= OP_NO_SSLv2 + # disable compression to prevent CRIME attacks (OpenSSL 1.0+) + context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0) # disallow ciphers with known vulnerabilities context.set_ciphers(_RESTRICTED_CIPHERS) # verify certs in client mode diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -18,6 +18,8 @@ Library ------- +- ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME. + - Issue #19802: Add socket.SO_PRIORITY. - Issue #11508: Fixed uuid.getnode() and uuid.uuid1() on environment with -- Repository URL: http://hg.python.org/cpython