always set OP_NO_SSLv3 by default (closes #25530)
This commit is contained in:
Benjamin Peterson
parent
59d451d68f
commit
10aaca9941
|
|
@ -714,12 +714,12 @@ class ContextTests(unittest.TestCase):
|
|||
@skip_if_broken_ubuntu_ssl
|
||||
def test_options(self):
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
# OP_ALL | OP_NO_SSLv2 is the default value
|
||||
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
|
||||
ctx.options)
|
||||
ctx.options |= ssl.OP_NO_SSLv3
|
||||
# OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
|
||||
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
|
||||
ctx.options)
|
||||
ctx.options |= ssl.OP_NO_TLSv1
|
||||
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1,
|
||||
ctx.options)
|
||||
if can_clear_options():
|
||||
ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1
|
||||
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3,
|
||||
|
|
@ -2230,17 +2230,17 @@ else:
|
|||
" SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
|
||||
% str(x))
|
||||
if hasattr(ssl, 'PROTOCOL_SSLv3'):
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3')
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
|
||||
|
||||
if hasattr(ssl, 'PROTOCOL_SSLv3'):
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
|
||||
|
||||
if hasattr(ssl, 'PROTOCOL_SSLv3'):
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
|
||||
|
||||
|
|
@ -2272,8 +2272,8 @@ else:
|
|||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
|
||||
if no_sslv2_implies_sslv3_hello():
|
||||
# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3',
|
||||
client_options=ssl.OP_NO_SSLv2)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,
|
||||
False, client_options=ssl.OP_NO_SSLv2)
|
||||
|
||||
@skip_if_broken_ubuntu_ssl
|
||||
def test_protocol_tlsv1(self):
|
||||
|
|
|
|||
|
|
@ -49,6 +49,9 @@ Core and Builtins
|
|||
Library
|
||||
-------
|
||||
|
||||
- Issue #25530: Disable the vulnerable SSLv3 protocol by default when creating
|
||||
ssl.SSLContext.
|
||||
|
||||
- Issue #25569: Fix memory leak in SSLSocket.getpeercert().
|
||||
|
||||
- Issue #7759: Fixed the mhlib module on filesystems that doesn't support
|
||||
|
|
|
|||
|
|
@ -2046,6 +2046,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
|
|||
options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
||||
if (proto_version != PY_SSL_VERSION_SSL2)
|
||||
options |= SSL_OP_NO_SSLv2;
|
||||
if (proto_version != PY_SSL_VERSION_SSL3)
|
||||
options |= SSL_OP_NO_SSLv3;
|
||||
SSL_CTX_set_options(self->ctx, options);
|
||||
|
||||
#ifndef OPENSSL_NO_ECDH
|
||||
|
|
|
|||
Loading…
Reference in New Issue