[Python-checkins] cpython (merge 3.3 -> default): Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
antoine.pitrou
python-checkins at python.org
Thu Jan 9 20:09:15 CET 2014
http://hg.python.org/cpython/rev/e02288de43ed
changeset: 88378:e02288de43ed
parent: 88374:2af308f79727
parent: 88377:da8486e3e0eb
user: Antoine Pitrou <solipsis at pitrou.net>
date: Thu Jan 09 20:09:03 2014 +0100
summary:
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
files:
Lib/test/test_ssl.py | 10 ++++------
Misc/NEWS | 3 +++
Modules/_ssl.c | 9 +++++----
3 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -670,9 +670,7 @@
@skip_if_broken_ubuntu_ssl
def test_options(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
- # OP_ALL is the default value
- self.assertEqual(ssl.OP_ALL, ctx.options)
- ctx.options |= ssl.OP_NO_SSLv2
+ # OP_ALL | OP_NO_SSLv2 is the default value
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
ctx.options)
ctx.options |= ssl.OP_NO_SSLv3
@@ -2095,7 +2093,7 @@
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
- try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
+ try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
# SSLv23 client with specific SSL options
@@ -2103,9 +2101,9 @@
# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
client_options=ssl.OP_NO_SSLv2)
- try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
+ try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
client_options=ssl.OP_NO_SSLv3)
- try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
+ try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
client_options=ssl.OP_NO_TLSv1)
@skip_if_broken_ubuntu_ssl
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -25,6 +25,9 @@
Library
-------
+- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
+ asked for.
+
- Issue #18960: The tokenize module now ignore the source encoding declaration
on the second line if the first line contains anything except a comment.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -134,9 +134,7 @@
};
enum py_ssl_version {
-#ifndef OPENSSL_NO_SSL2
PY_SSL_VERSION_SSL2,
-#endif
PY_SSL_VERSION_SSL3=1,
PY_SSL_VERSION_SSL23,
#if HAVE_TLSv1_2
@@ -1999,6 +1997,7 @@
char *kwlist[] = {"protocol", NULL};
PySSLContext *self;
int proto_version = PY_SSL_VERSION_SSL23;
+ long options;
SSL_CTX *ctx = NULL;
if (!PyArg_ParseTupleAndKeywords(
@@ -2055,8 +2054,10 @@
self->check_hostname = 0;
/* Defaults */
SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
- SSL_CTX_set_options(self->ctx,
- SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ if (proto_version != PY_SSL_VERSION_SSL2)
+ options |= SSL_OP_NO_SSLv2;
+ SSL_CTX_set_options(self->ctx, options);
#define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list