From ee18b6f2fda4afcdd1a22adb5b0637019510907b Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Tue, 10 May 2011 00:38:00 +0200 Subject: [PATCH] Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2 protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid. Optimize also ssl.get_protocol_name(): speed does matter! --- Doc/library/ssl.rst | 3 +++ Lib/ssl.py | 25 +++++++++++++------------ Lib/test/test_ssl.py | 26 +++++++++++++++----------- Misc/NEWS | 2 ++ Modules/_ssl.c | 8 +++++++- 5 files changed, 40 insertions(+), 24 deletions(-) diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index ff7a016a3cb..ca3242945b4 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -219,6 +219,9 @@ Functions, Constants, and Exceptions Selects SSL version 2 as the channel encryption protocol. + This protocol is not available if OpenSSL is compiled with OPENSSL_NO_SSL2 + flag. + .. warning:: SSL version 2 is insecure. Its use is highly discouraged. diff --git a/Lib/ssl.py b/Lib/ssl.py index f98bd73428f..bbb81110e8d 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -60,8 +60,6 @@ import _ssl # if we can't import it, let the error propagate from _ssl import SSLError from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED -from _ssl import (PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23, - PROTOCOL_TLSv1) from _ssl import RAND_status, RAND_egd, RAND_add from _ssl import ( SSL_ERROR_ZERO_RETURN, @@ -74,6 +72,18 @@ from _ssl import ( SSL_ERROR_EOF, SSL_ERROR_INVALID_ERROR_CODE, ) +from _ssl import PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1 +_PROTOCOL_NAMES = { + PROTOCOL_TLSv1: "TLSv1", + PROTOCOL_SSLv23: "SSLv23", + PROTOCOL_SSLv3: "SSLv3", +} +try: + from _ssl import PROTOCOL_SSLv2 +except ImportError: + pass +else: + _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2" from socket import getnameinfo as _getnameinfo from socket import error as socket_error @@ -427,13 +437,4 @@ def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None): return DER_cert_to_PEM_cert(dercert) def get_protocol_name(protocol_code): - if protocol_code == PROTOCOL_TLSv1: - return "TLSv1" - elif protocol_code == PROTOCOL_SSLv23: - return "SSLv23" - elif protocol_code == PROTOCOL_SSLv2: - return "SSLv2" - elif protocol_code == PROTOCOL_SSLv3: - return "SSLv3" - else: - return "" + return _PROTOCOL_NAMES.get(protocol_code, '') diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index bb38890b651..f2f4f80fc69 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -40,7 +40,7 @@ def handle_error(prefix): class BasicTests(unittest.TestCase): def test_constants(self): - ssl.PROTOCOL_SSLv2 + #ssl.PROTOCOL_SSLv2 ssl.PROTOCOL_SSLv23 ssl.PROTOCOL_SSLv3 ssl.PROTOCOL_TLSv1 @@ -838,6 +838,7 @@ else: finally: t.join() + @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'), "need SSLv2") def test_protocol_sslv2(self): """Connecting to an SSLv2 server with various client options""" if support.verbose: @@ -857,14 +858,15 @@ else: sys.stdout.write("\ntest_protocol_sslv23 disabled, " "as it fails on OpenSSL 1.0.0+") return - try: - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True) - except (ssl.SSLError, socket.error) as x: - # this fails on some older versions of OpenSSL (0.9.7l, for instance) - if support.verbose: - sys.stdout.write( - " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" - % str(x)) + if hasattr(ssl, 'PROTOCOL_SSLv2'): + try: + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True) + except (ssl.SSLError, socket.error) as x: + # this fails on some older versions of OpenSSL (0.9.7l, for instance) + if support.verbose: + sys.stdout.write( + " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" + % str(x)) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True) @@ -886,7 +888,8 @@ else: try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True) try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED) - try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False) + if hasattr(ssl, 'PROTOCOL_SSLv2'): + try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False) try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False) try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) @@ -899,7 +902,8 @@ else: try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True) try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED) - try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False) + if hasattr(ssl, 'PROTOCOL_SSLv2'): + try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False) try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False) try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False) diff --git a/Misc/NEWS b/Misc/NEWS index 951a136c40c..9f4d9a8b7ae 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -69,6 +69,8 @@ Core and Builtins Library ------- +- Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional. + - Issue #11164: Stop trying to use _xmlplus in the xml module. - Issue #11927: SMTP_SSL now uses port 465 by default as documented. Patch diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 73a76bbc058..8ebdc9b99db 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -63,8 +63,10 @@ enum py_ssl_cert_requirements { }; enum py_ssl_version { +#ifndef OPENSSL_NO_SSL2 PY_SSL_VERSION_SSL2, - PY_SSL_VERSION_SSL3, +#endif + PY_SSL_VERSION_SSL3=1, PY_SSL_VERSION_SSL23, PY_SSL_VERSION_TLS1 }; @@ -306,8 +308,10 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */ else if (proto_version == PY_SSL_VERSION_SSL3) self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */ +#ifndef OPENSSL_NO_SSL2 else if (proto_version == PY_SSL_VERSION_SSL2) self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */ +#endif else if (proto_version == PY_SSL_VERSION_SSL23) self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */ PySSL_END_ALLOW_THREADS @@ -1787,8 +1791,10 @@ PyInit__ssl(void) PY_SSL_CERT_REQUIRED); /* protocol versions */ +#ifndef OPENSSL_NO_SSL2 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2", PY_SSL_VERSION_SSL2); +#endif PyModule_AddIntConstant(m, "PROTOCOL_SSLv3", PY_SSL_VERSION_SSL3); PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",