diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-03 21:46:48 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-03 21:46:48 (GMT) |
| commit | d76088d9729baa15659f7c9609e06a4d9345177a (patch) | |
| tree | 1dc3f446f3d3ced7aaf393031b71d357bafb28ed | |
| parent | 499718de49505d3cf3797ab5722862cbbe12e801 (diff) | |
| download | cpython-d76088d9729baa15659f7c9609e06a4d9345177a.zip cpython-d76088d9729baa15659f7c9609e06a4d9345177a.tar.gz cpython-d76088d9729baa15659f7c9609e06a4d9345177a.tar.bz2 | |
Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
| -rw-r--r-- | Lib/ssl.py | 11 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 25 | ||||
| -rw-r--r-- | Misc/NEWS | 3 |
3 files changed, 37 insertions, 2 deletions
@@ -81,8 +81,9 @@ _PROTOCOL_NAMES = { } try: from _ssl import PROTOCOL_SSLv2 + _SSLv2_IF_EXISTS = PROTOCOL_SSLv2 except ImportError: - pass + _SSLv2_IF_EXISTS = None else: _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2" @@ -91,6 +92,11 @@ from socket import getnameinfo as _getnameinfo import base64 # for DER-to-PEM translation import errno +# Disable weak or insecure ciphers by default +# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') +_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2' + + class SSLSocket(socket): """This class implements a subtype of socket.socket that wraps @@ -112,6 +118,9 @@ class SSLSocket(socket): except AttributeError: pass + if ciphers is None and ssl_version != _SSLv2_IF_EXISTS: + ciphers = _DEFAULT_CIPHERS + if certfile and not keyfile: keyfile = certfile # see if it's connected diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index e5addf8..e64d1b2 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -417,10 +417,11 @@ else: ca_certs=self.server.cacerts, cert_reqs=self.server.certreqs, ciphers=self.server.ciphers) - except ssl.SSLError: + except ssl.SSLError as e: # XXX Various errors can have happened here, for example # a mismatching protocol version, an invalid certificate, # or a low-level bug. This should be made more discriminating. + self.server.conn_errors.append(e) if self.server.chatty: handle_error("\n server: bad connection attempt from " + str(self.sock.getpeername()) + ":\n") @@ -529,12 +530,14 @@ else: sys.stdout.write(' server: wrapped server socket as %s\n' % str(self.sock)) self.port = test_support.bind_port(self.sock) self.active = False + self.conn_errors = [] threading.Thread.__init__(self) self.daemon = True def __enter__(self): self.start(threading.Event()) self.flag.wait() + return self def __exit__(self, *args): self.stop() @@ -649,6 +652,7 @@ else: def __enter__(self): self.start(threading.Event()) self.flag.wait() + return self def __exit__(self, *args): if test_support.verbose: @@ -1310,6 +1314,25 @@ else: t.join() server.close() + def test_default_ciphers(self): + with ThreadedEchoServer(CERTFILE, + ssl_version=ssl.PROTOCOL_SSLv23, + chatty=False) as server: + sock = socket.socket() + try: + # Force a set of weak ciphers on our client socket + try: + s = ssl.wrap_socket(sock, + ssl_version=ssl.PROTOCOL_SSLv23, + ciphers="DES") + except ssl.SSLError: + self.skipTest("no DES cipher available") + with self.assertRaises((OSError, ssl.SSLError)): + s.connect((HOST, server.port)) + finally: + sock.close() + self.assertIn("no shared cipher", str(server.conn_errors[0])) + def test_main(verbose=False): global CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, NOKIACERT @@ -89,6 +89,9 @@ Core and Builtins Library ------- +- Issue #13636: Weak ciphers are now disabled by default in the ssl module + (except when SSLv2 is explicitly asked for). + - Issue #12798: Updated the mimetypes documentation. - Issue #13639: Accept unicode filenames in tarfile.open(mode="w|gz"). |