[Python-checkins] cpython (merge 3.2 -> default): Issue #13636: Weak ciphers are now disabled by default in the ssl module
antoine.pitrou
python-checkins at python.org
Tue Jan 3 22:51:42 CET 2012
http://hg.python.org/cpython/rev/ace54f5e75d7
changeset: 74249:ace54f5e75d7
parent: 74244:f38182db6c7a
parent: 74248:25c2d24e1b11
user: Antoine Pitrou <solipsis at pitrou.net>
date: Tue Jan 03 22:49:08 2012 +0100
summary:
Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
files:
Lib/ssl.py | 13 +++++++++++--
Lib/test/test_ssl.py | 22 +++++++++++++++++++++-
Misc/NEWS | 3 +++
3 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -98,8 +98,9 @@
}
try:
from _ssl import PROTOCOL_SSLv2
+ _SSLv2_IF_EXISTS = PROTOCOL_SSLv2
except ImportError:
- pass
+ _SSLv2_IF_EXISTS = None
else:
_PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
@@ -115,6 +116,11 @@
else:
CHANNEL_BINDING_TYPES = []
+# Disable weak or insecure ciphers by default
+# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
+_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
+
+
class CertificateError(ValueError):
pass
@@ -181,7 +187,10 @@
__slots__ = ('protocol',)
def __new__(cls, protocol, *args, **kwargs):
- return _SSLContext.__new__(cls, protocol)
+ self = _SSLContext.__new__(cls, protocol)
+ if protocol != _SSLv2_IF_EXISTS:
+ self.set_ciphers(_DEFAULT_CIPHERS)
+ return self
def __init__(self, protocol):
self.protocol = protocol
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -878,10 +878,11 @@
try:
self.sslconn = self.server.context.wrap_socket(
self.sock, server_side=True)
- except ssl.SSLError:
+ except ssl.SSLError as e:
# XXX Various errors can have happened here, for example
# a mismatching protocol version, an invalid certificate,
# or a low-level bug. This should be made more discriminating.
+ self.server.conn_errors.append(e)
if self.server.chatty:
handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
self.running = False
@@ -999,12 +1000,14 @@
self.port = support.bind_port(self.sock)
self.flag = None
self.active = False
+ self.conn_errors = []
threading.Thread.__init__(self)
self.daemon = True
def __enter__(self):
self.start(threading.Event())
self.flag.wait()
+ return self
def __exit__(self, *args):
self.stop()
@@ -1124,6 +1127,7 @@
def __enter__(self):
self.start(threading.Event())
self.flag.wait()
+ return self
def __exit__(self, *args):
if support.verbose:
@@ -1739,6 +1743,22 @@
t.join()
server.close()
+ def test_default_ciphers(self):
+ context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ try:
+ # Force a set of weak ciphers on our client context
+ context.set_ciphers("DES")
+ except ssl.SSLError:
+ self.skipTest("no DES cipher available")
+ with ThreadedEchoServer(CERTFILE,
+ ssl_version=ssl.PROTOCOL_SSLv23,
+ chatty=False) as server:
+ with socket.socket() as sock:
+ s = context.wrap_socket(sock)
+ with self.assertRaises((OSError, ssl.SSLError)):
+ s.connect((HOST, server.port))
+ self.assertIn("no shared cipher", str(server.conn_errors[0]))
+
@unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
"'tls-unique' channel binding not available")
def test_tls_unique_channel_binding(self):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -422,6 +422,9 @@
Library
-------
+- Issue #13636: Weak ciphers are now disabled by default in the ssl module
+ (except when SSLv2 is explicitly asked for).
+
- Issue #12715: Add an optional symlinks argument to shutil functions
(copyfile, copymode, copystat, copy, copy2). When that parameter is
true, symlinks aren't dereferenced and the operation instead acts on the
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list