[Python-checkins] cpython: ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME
christian.heimes
python-checkins at python.org
Thu Nov 28 08:07:03 CET 2013
http://hg.python.org/cpython/rev/98eb88d3d94e
changeset: 87622:98eb88d3d94e
user: Christian Heimes <christian at cheimes.de>
date: Thu Nov 28 08:06:54 2013 +0100
summary:
ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME
files:
Lib/ssl.py | 2 ++
Misc/NEWS | 2 ++
2 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -383,6 +383,8 @@
context = SSLContext(PROTOCOL_TLSv1)
# SSLv2 considered harmful.
context.options |= OP_NO_SSLv2
+ # disable compression to prevent CRIME attacks (OpenSSL 1.0+)
+ context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0)
# disallow ciphers with known vulnerabilities
context.set_ciphers(_RESTRICTED_CIPHERS)
# verify certs in client mode
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,8 @@
Library
-------
+- ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME.
+
- Issue #19802: Add socket.SO_PRIORITY.
- Issue #11508: Fixed uuid.getnode() and uuid.uuid1() on environment with
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list