mirror of https://github.com/python/cpython
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
This commit is contained in:
commit
78ace81c93
|
@ -670,9 +670,7 @@ class ContextTests(unittest.TestCase):
|
|||
@skip_if_broken_ubuntu_ssl
|
||||
def test_options(self):
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
# OP_ALL is the default value
|
||||
self.assertEqual(ssl.OP_ALL, ctx.options)
|
||||
ctx.options |= ssl.OP_NO_SSLv2
|
||||
# OP_ALL | OP_NO_SSLv2 is the default value
|
||||
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
|
||||
ctx.options)
|
||||
ctx.options |= ssl.OP_NO_SSLv3
|
||||
|
@ -2095,7 +2093,7 @@ else:
|
|||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
|
||||
# SSLv23 client with specific SSL options
|
||||
|
@ -2103,9 +2101,9 @@ else:
|
|||
# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
|
||||
client_options=ssl.OP_NO_SSLv2)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
|
||||
client_options=ssl.OP_NO_SSLv3)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
|
||||
client_options=ssl.OP_NO_TLSv1)
|
||||
|
||||
@skip_if_broken_ubuntu_ssl
|
||||
|
|
|
@ -25,6 +25,9 @@ Core and Builtins
|
|||
Library
|
||||
-------
|
||||
|
||||
- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
|
||||
asked for.
|
||||
|
||||
- Issue #18960: The tokenize module now ignore the source encoding declaration
|
||||
on the second line if the first line contains anything except a comment.
|
||||
|
||||
|
|
|
@ -134,9 +134,7 @@ enum py_ssl_cert_requirements {
|
|||
};
|
||||
|
||||
enum py_ssl_version {
|
||||
#ifndef OPENSSL_NO_SSL2
|
||||
PY_SSL_VERSION_SSL2,
|
||||
#endif
|
||||
PY_SSL_VERSION_SSL3=1,
|
||||
PY_SSL_VERSION_SSL23,
|
||||
#if HAVE_TLSv1_2
|
||||
|
@ -1999,6 +1997,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
|
|||
char *kwlist[] = {"protocol", NULL};
|
||||
PySSLContext *self;
|
||||
int proto_version = PY_SSL_VERSION_SSL23;
|
||||
long options;
|
||||
SSL_CTX *ctx = NULL;
|
||||
|
||||
if (!PyArg_ParseTupleAndKeywords(
|
||||
|
@ -2055,8 +2054,10 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
|
|||
self->check_hostname = 0;
|
||||
/* Defaults */
|
||||
SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
|
||||
SSL_CTX_set_options(self->ctx,
|
||||
SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
|
||||
options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
||||
if (proto_version != PY_SSL_VERSION_SSL2)
|
||||
options |= SSL_OP_NO_SSLv2;
|
||||
SSL_CTX_set_options(self->ctx, options);
|
||||
|
||||
#define SID_CTX "Python"
|
||||
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
|
||||
|
|
Loading…
Reference in New Issue