diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 14d3cc1e96c..34e86767562 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -670,9 +670,7 @@ class ContextTests(unittest.TestCase): @skip_if_broken_ubuntu_ssl def test_options(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # OP_ALL is the default value - self.assertEqual(ssl.OP_ALL, ctx.options) - ctx.options |= ssl.OP_NO_SSLv2 + # OP_ALL | OP_NO_SSLv2 is the default value self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, ctx.options) ctx.options |= ssl.OP_NO_SSLv3 @@ -2095,7 +2093,7 @@ else: try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True) try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED) - try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True) + try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False) try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False) try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False) # SSLv23 client with specific SSL options @@ -2103,9 +2101,9 @@ else: # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False, client_options=ssl.OP_NO_SSLv2) - try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True, + try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False, client_options=ssl.OP_NO_SSLv3) - try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True, + try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False, client_options=ssl.OP_NO_TLSv1) @skip_if_broken_ubuntu_ssl diff --git a/Misc/NEWS b/Misc/NEWS index cb59a68a1e8..e58df2a3357 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -25,6 +25,9 @@ Core and Builtins Library ------- +- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly + asked for. + - Issue #18960: The tokenize module now ignore the source encoding declaration on the second line if the first line contains anything except a comment. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index a370b1b41e2..2e3c5b1187e 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -134,9 +134,7 @@ enum py_ssl_cert_requirements { }; enum py_ssl_version { -#ifndef OPENSSL_NO_SSL2 PY_SSL_VERSION_SSL2, -#endif PY_SSL_VERSION_SSL3=1, PY_SSL_VERSION_SSL23, #if HAVE_TLSv1_2 @@ -1999,6 +1997,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) char *kwlist[] = {"protocol", NULL}; PySSLContext *self; int proto_version = PY_SSL_VERSION_SSL23; + long options; SSL_CTX *ctx = NULL; if (!PyArg_ParseTupleAndKeywords( @@ -2055,8 +2054,10 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) self->check_hostname = 0; /* Defaults */ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); - SSL_CTX_set_options(self->ctx, - SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + if (proto_version != PY_SSL_VERSION_SSL2) + options |= SSL_OP_NO_SSLv2; + SSL_CTX_set_options(self->ctx, options); #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,