Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2 protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid. Optimize also ssl.get_protocol_name(): speed does matter!
This commit is contained in:
Victor Stinner
parent
4755ab010f
commit
ee18b6f2fd
|
|
@ -219,6 +219,9 @@ Functions, Constants, and Exceptions
|
||||||
|
|
||||||
Selects SSL version 2 as the channel encryption protocol.
|
Selects SSL version 2 as the channel encryption protocol.
|
||||||
|
|
||||||
|
This protocol is not available if OpenSSL is compiled with OPENSSL_NO_SSL2
|
||||||
|
flag.
|
||||||
|
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
SSL version 2 is insecure. Its use is highly discouraged.
|
SSL version 2 is insecure. Its use is highly discouraged.
|
||||||
|
|
|
||||||
25
Lib/ssl.py
25
Lib/ssl.py
|
|
@ -60,8 +60,6 @@ import _ssl # if we can't import it, let the error propagate
|
||||||
|
|
||||||
from _ssl import SSLError
|
from _ssl import SSLError
|
||||||
from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
|
from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
|
||||||
from _ssl import (PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23,
|
|
||||||
PROTOCOL_TLSv1)
|
|
||||||
from _ssl import RAND_status, RAND_egd, RAND_add
|
from _ssl import RAND_status, RAND_egd, RAND_add
|
||||||
from _ssl import (
|
from _ssl import (
|
||||||
SSL_ERROR_ZERO_RETURN,
|
SSL_ERROR_ZERO_RETURN,
|
||||||
|
|
@ -74,6 +72,18 @@ from _ssl import (
|
||||||
SSL_ERROR_EOF,
|
SSL_ERROR_EOF,
|
||||||
SSL_ERROR_INVALID_ERROR_CODE,
|
SSL_ERROR_INVALID_ERROR_CODE,
|
||||||
)
|
)
|
||||||
|
from _ssl import PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1
|
||||||
|
_PROTOCOL_NAMES = {
|
||||||
|
PROTOCOL_TLSv1: "TLSv1",
|
||||||
|
PROTOCOL_SSLv23: "SSLv23",
|
||||||
|
PROTOCOL_SSLv3: "SSLv3",
|
||||||
|
}
|
||||||
|
try:
|
||||||
|
from _ssl import PROTOCOL_SSLv2
|
||||||
|
except ImportError:
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
_PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
|
||||||
|
|
||||||
from socket import getnameinfo as _getnameinfo
|
from socket import getnameinfo as _getnameinfo
|
||||||
from socket import error as socket_error
|
from socket import error as socket_error
|
||||||
|
|
@ -427,13 +437,4 @@ def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
|
||||||
return DER_cert_to_PEM_cert(dercert)
|
return DER_cert_to_PEM_cert(dercert)
|
||||||
|
|
||||||
def get_protocol_name(protocol_code):
|
def get_protocol_name(protocol_code):
|
||||||
if protocol_code == PROTOCOL_TLSv1:
|
return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')
|
||||||
return "TLSv1"
|
|
||||||
elif protocol_code == PROTOCOL_SSLv23:
|
|
||||||
return "SSLv23"
|
|
||||||
elif protocol_code == PROTOCOL_SSLv2:
|
|
||||||
return "SSLv2"
|
|
||||||
elif protocol_code == PROTOCOL_SSLv3:
|
|
||||||
return "SSLv3"
|
|
||||||
else:
|
|
||||||
return "<unknown>"
|
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ def handle_error(prefix):
|
||||||
class BasicTests(unittest.TestCase):
|
class BasicTests(unittest.TestCase):
|
||||||
|
|
||||||
def test_constants(self):
|
def test_constants(self):
|
||||||
ssl.PROTOCOL_SSLv2
|
#ssl.PROTOCOL_SSLv2
|
||||||
ssl.PROTOCOL_SSLv23
|
ssl.PROTOCOL_SSLv23
|
||||||
ssl.PROTOCOL_SSLv3
|
ssl.PROTOCOL_SSLv3
|
||||||
ssl.PROTOCOL_TLSv1
|
ssl.PROTOCOL_TLSv1
|
||||||
|
|
@ -838,6 +838,7 @@ else:
|
||||||
finally:
|
finally:
|
||||||
t.join()
|
t.join()
|
||||||
|
|
||||||
|
@unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'), "need SSLv2")
|
||||||
def test_protocol_sslv2(self):
|
def test_protocol_sslv2(self):
|
||||||
"""Connecting to an SSLv2 server with various client options"""
|
"""Connecting to an SSLv2 server with various client options"""
|
||||||
if support.verbose:
|
if support.verbose:
|
||||||
|
|
@ -857,14 +858,15 @@ else:
|
||||||
sys.stdout.write("\ntest_protocol_sslv23 disabled, "
|
sys.stdout.write("\ntest_protocol_sslv23 disabled, "
|
||||||
"as it fails on OpenSSL 1.0.0+")
|
"as it fails on OpenSSL 1.0.0+")
|
||||||
return
|
return
|
||||||
try:
|
if hasattr(ssl, 'PROTOCOL_SSLv2'):
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
|
try:
|
||||||
except (ssl.SSLError, socket.error) as x:
|
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
|
||||||
# this fails on some older versions of OpenSSL (0.9.7l, for instance)
|
except (ssl.SSLError, socket.error) as x:
|
||||||
if support.verbose:
|
# this fails on some older versions of OpenSSL (0.9.7l, for instance)
|
||||||
sys.stdout.write(
|
if support.verbose:
|
||||||
" SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
|
sys.stdout.write(
|
||||||
% str(x))
|
" SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
|
||||||
|
% str(x))
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)
|
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
|
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
|
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
|
||||||
|
|
@ -886,7 +888,8 @@ else:
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True)
|
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True)
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
|
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
|
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
|
if hasattr(ssl, 'PROTOCOL_SSLv2'):
|
||||||
|
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
|
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
|
||||||
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
|
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
|
||||||
|
|
||||||
|
|
@ -899,7 +902,8 @@ else:
|
||||||
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True)
|
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True)
|
||||||
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
|
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
|
||||||
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
|
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
|
||||||
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
|
if hasattr(ssl, 'PROTOCOL_SSLv2'):
|
||||||
|
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
|
||||||
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
|
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
|
||||||
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
|
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -69,6 +69,8 @@ Core and Builtins
|
||||||
Library
|
Library
|
||||||
-------
|
-------
|
||||||
|
|
||||||
|
- Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional.
|
||||||
|
|
||||||
- Issue #11164: Stop trying to use _xmlplus in the xml module.
|
- Issue #11164: Stop trying to use _xmlplus in the xml module.
|
||||||
|
|
||||||
- Issue #11927: SMTP_SSL now uses port 465 by default as documented. Patch
|
- Issue #11927: SMTP_SSL now uses port 465 by default as documented. Patch
|
||||||
|
|
|
||||||
|
|
@ -63,8 +63,10 @@ enum py_ssl_cert_requirements {
|
||||||
};
|
};
|
||||||
|
|
||||||
enum py_ssl_version {
|
enum py_ssl_version {
|
||||||
|
#ifndef OPENSSL_NO_SSL2
|
||||||
PY_SSL_VERSION_SSL2,
|
PY_SSL_VERSION_SSL2,
|
||||||
PY_SSL_VERSION_SSL3,
|
#endif
|
||||||
|
PY_SSL_VERSION_SSL3=1,
|
||||||
PY_SSL_VERSION_SSL23,
|
PY_SSL_VERSION_SSL23,
|
||||||
PY_SSL_VERSION_TLS1
|
PY_SSL_VERSION_TLS1
|
||||||
};
|
};
|
||||||
|
|
@ -306,8 +308,10 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
|
||||||
self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
|
self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
|
||||||
else if (proto_version == PY_SSL_VERSION_SSL3)
|
else if (proto_version == PY_SSL_VERSION_SSL3)
|
||||||
self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
|
self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
|
||||||
|
#ifndef OPENSSL_NO_SSL2
|
||||||
else if (proto_version == PY_SSL_VERSION_SSL2)
|
else if (proto_version == PY_SSL_VERSION_SSL2)
|
||||||
self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
|
self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
|
||||||
|
#endif
|
||||||
else if (proto_version == PY_SSL_VERSION_SSL23)
|
else if (proto_version == PY_SSL_VERSION_SSL23)
|
||||||
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
|
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
|
||||||
PySSL_END_ALLOW_THREADS
|
PySSL_END_ALLOW_THREADS
|
||||||
|
|
@ -1787,8 +1791,10 @@ PyInit__ssl(void)
|
||||||
PY_SSL_CERT_REQUIRED);
|
PY_SSL_CERT_REQUIRED);
|
||||||
|
|
||||||
/* protocol versions */
|
/* protocol versions */
|
||||||
|
#ifndef OPENSSL_NO_SSL2
|
||||||
PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
|
PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
|
||||||
PY_SSL_VERSION_SSL2);
|
PY_SSL_VERSION_SSL2);
|
||||||
|
#endif
|
||||||
PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
|
PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
|
||||||
PY_SSL_VERSION_SSL3);
|
PY_SSL_VERSION_SSL3);
|
||||||
PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
|
PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue