[Python-checkins] cpython (2.7): Issue #13636: Weak ciphers are now disabled by default in the ssl module
antoine.pitrou
python-checkins at python.org
Tue Jan 3 23:00:50 CET 2012
http://hg.python.org/cpython/rev/f9122975fd80
changeset: 74252:f9122975fd80
branch: 2.7
parent: 74245:4fad6b811c8b
user: Antoine Pitrou <solipsis at pitrou.net>
date: Tue Jan 03 22:46:48 2012 +0100
summary:
Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
files:
Lib/ssl.py | 11 ++++++++++-
Lib/test/test_ssl.py | 25 ++++++++++++++++++++++++-
Misc/NEWS | 3 +++
3 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -81,8 +81,9 @@
}
try:
from _ssl import PROTOCOL_SSLv2
+ _SSLv2_IF_EXISTS = PROTOCOL_SSLv2
except ImportError:
- pass
+ _SSLv2_IF_EXISTS = None
else:
_PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
@@ -91,6 +92,11 @@
import base64 # for DER-to-PEM translation
import errno
+# Disable weak or insecure ciphers by default
+# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
+_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
+
+
class SSLSocket(socket):
"""This class implements a subtype of socket.socket that wraps
@@ -112,6 +118,9 @@
except AttributeError:
pass
+ if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
+ ciphers = _DEFAULT_CIPHERS
+
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -417,10 +417,11 @@
ca_certs=self.server.cacerts,
cert_reqs=self.server.certreqs,
ciphers=self.server.ciphers)
- except ssl.SSLError:
+ except ssl.SSLError as e:
# XXX Various errors can have happened here, for example
# a mismatching protocol version, an invalid certificate,
# or a low-level bug. This should be made more discriminating.
+ self.server.conn_errors.append(e)
if self.server.chatty:
handle_error("\n server: bad connection attempt from " +
str(self.sock.getpeername()) + ":\n")
@@ -529,12 +530,14 @@
sys.stdout.write(' server: wrapped server socket as %s\n' % str(self.sock))
self.port = test_support.bind_port(self.sock)
self.active = False
+ self.conn_errors = []
threading.Thread.__init__(self)
self.daemon = True
def __enter__(self):
self.start(threading.Event())
self.flag.wait()
+ return self
def __exit__(self, *args):
self.stop()
@@ -649,6 +652,7 @@
def __enter__(self):
self.start(threading.Event())
self.flag.wait()
+ return self
def __exit__(self, *args):
if test_support.verbose:
@@ -1310,6 +1314,25 @@
t.join()
server.close()
+ def test_default_ciphers(self):
+ with ThreadedEchoServer(CERTFILE,
+ ssl_version=ssl.PROTOCOL_SSLv23,
+ chatty=False) as server:
+ sock = socket.socket()
+ try:
+ # Force a set of weak ciphers on our client socket
+ try:
+ s = ssl.wrap_socket(sock,
+ ssl_version=ssl.PROTOCOL_SSLv23,
+ ciphers="DES")
+ except ssl.SSLError:
+ self.skipTest("no DES cipher available")
+ with self.assertRaises((OSError, ssl.SSLError)):
+ s.connect((HOST, server.port))
+ finally:
+ sock.close()
+ self.assertIn("no shared cipher", str(server.conn_errors[0]))
+
def test_main(verbose=False):
global CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, NOKIACERT
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -89,6 +89,9 @@
Library
-------
+- Issue #13636: Weak ciphers are now disabled by default in the ssl module
+ (except when SSLv2 is explicitly asked for).
+
- Issue #12798: Updated the mimetypes documentation.
- Issue #13639: Accept unicode filenames in tarfile.open(mode="w|gz").
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list