Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
This commit is contained in:
parent
1064a13bb0
commit
cd3d7cabef
|
@ -534,9 +534,7 @@ class ContextTests(unittest.TestCase):
|
|||
@skip_if_broken_ubuntu_ssl
|
||||
def test_options(self):
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
# OP_ALL is the default value
|
||||
self.assertEqual(ssl.OP_ALL, ctx.options)
|
||||
ctx.options |= ssl.OP_NO_SSLv2
|
||||
# OP_ALL | OP_NO_SSLv2 is the default value
|
||||
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
|
||||
ctx.options)
|
||||
ctx.options |= ssl.OP_NO_SSLv3
|
||||
|
@ -1585,7 +1583,7 @@ else:
|
|||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
|
||||
# SSLv23 client with specific SSL options
|
||||
|
@ -1593,9 +1591,9 @@ else:
|
|||
# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
|
||||
client_options=ssl.OP_NO_SSLv2)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
|
||||
client_options=ssl.OP_NO_SSLv3)
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
|
||||
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
|
||||
client_options=ssl.OP_NO_TLSv1)
|
||||
|
||||
@skip_if_broken_ubuntu_ssl
|
||||
|
|
|
@ -43,6 +43,9 @@ Core and Builtins
|
|||
Library
|
||||
-------
|
||||
|
||||
- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
|
||||
asked for.
|
||||
|
||||
- Issue #18960: The tokenize module now ignore the source encoding declaration
|
||||
on the second line if the first line contains anything except a comment.
|
||||
|
||||
|
|
|
@ -1737,6 +1737,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
|
|||
char *kwlist[] = {"protocol", NULL};
|
||||
PySSLContext *self;
|
||||
int proto_version = PY_SSL_VERSION_SSL23;
|
||||
long options;
|
||||
SSL_CTX *ctx = NULL;
|
||||
|
||||
if (!PyArg_ParseTupleAndKeywords(
|
||||
|
@ -1782,8 +1783,10 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
|
|||
#endif
|
||||
/* Defaults */
|
||||
SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
|
||||
SSL_CTX_set_options(self->ctx,
|
||||
SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
|
||||
options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
||||
if (proto_version != PY_SSL_VERSION_SSL2)
|
||||
options |= SSL_OP_NO_SSLv2;
|
||||
SSL_CTX_set_options(self->ctx, options);
|
||||
|
||||
#define SID_CTX "Python"
|
||||
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
|
||||
|
|
Loading…
Reference in New Issue