summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVictor Stinner <victor.stinner@haypocalc.com>2011-05-09 22:38:00 (GMT)
committerVictor Stinner <victor.stinner@haypocalc.com>2011-05-09 22:38:00 (GMT)
commitee18b6f2fda4afcdd1a22adb5b0637019510907b (patch)
tree0c2edfbffca2241eb3b42afb41adf0fc4002f886
parent4755ab010f18863e305bbd17bbc16b7f39aed360 (diff)
downloadcpython-ee18b6f2fda4afcdd1a22adb5b0637019510907b.zip
cpython-ee18b6f2fda4afcdd1a22adb5b0637019510907b.tar.gz
cpython-ee18b6f2fda4afcdd1a22adb5b0637019510907b.tar.bz2
Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2 protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid. Optimize also ssl.get_protocol_name(): speed does matter!
-rw-r--r--Doc/library/ssl.rst3
-rw-r--r--Lib/ssl.py25
-rw-r--r--Lib/test/test_ssl.py26
-rw-r--r--Misc/NEWS2
-rw-r--r--Modules/_ssl.c8
5 files changed, 40 insertions, 24 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index ff7a016..ca32429 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -219,6 +219,9 @@ Functions, Constants, and Exceptions
Selects SSL version 2 as the channel encryption protocol.
+ This protocol is not available if OpenSSL is compiled with OPENSSL_NO_SSL2
+ flag.
+
.. warning::
SSL version 2 is insecure. Its use is highly discouraged.
diff --git a/Lib/ssl.py b/Lib/ssl.py
index f98bd73..bbb8111 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -60,8 +60,6 @@ import _ssl # if we can't import it, let the error propagate
from _ssl import SSLError
from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
-from _ssl import (PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23,
- PROTOCOL_TLSv1)
from _ssl import RAND_status, RAND_egd, RAND_add
from _ssl import (
SSL_ERROR_ZERO_RETURN,
@@ -74,6 +72,18 @@ from _ssl import (
SSL_ERROR_EOF,
SSL_ERROR_INVALID_ERROR_CODE,
)
+from _ssl import PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1
+_PROTOCOL_NAMES = {
+ PROTOCOL_TLSv1: "TLSv1",
+ PROTOCOL_SSLv23: "SSLv23",
+ PROTOCOL_SSLv3: "SSLv3",
+}
+try:
+ from _ssl import PROTOCOL_SSLv2
+except ImportError:
+ pass
+else:
+ _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
from socket import getnameinfo as _getnameinfo
from socket import error as socket_error
@@ -427,13 +437,4 @@ def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
return DER_cert_to_PEM_cert(dercert)
def get_protocol_name(protocol_code):
- if protocol_code == PROTOCOL_TLSv1:
- return "TLSv1"
- elif protocol_code == PROTOCOL_SSLv23:
- return "SSLv23"
- elif protocol_code == PROTOCOL_SSLv2:
- return "SSLv2"
- elif protocol_code == PROTOCOL_SSLv3:
- return "SSLv3"
- else:
- return "<unknown>"
+ return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index bb38890..f2f4f80 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -40,7 +40,7 @@ def handle_error(prefix):
class BasicTests(unittest.TestCase):
def test_constants(self):
- ssl.PROTOCOL_SSLv2
+ #ssl.PROTOCOL_SSLv2
ssl.PROTOCOL_SSLv23
ssl.PROTOCOL_SSLv3
ssl.PROTOCOL_TLSv1
@@ -838,6 +838,7 @@ else:
finally:
t.join()
+ @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'), "need SSLv2")
def test_protocol_sslv2(self):
"""Connecting to an SSLv2 server with various client options"""
if support.verbose:
@@ -857,14 +858,15 @@ else:
sys.stdout.write("\ntest_protocol_sslv23 disabled, "
"as it fails on OpenSSL 1.0.0+")
return
- try:
- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
- except (ssl.SSLError, socket.error) as x:
- # this fails on some older versions of OpenSSL (0.9.7l, for instance)
- if support.verbose:
- sys.stdout.write(
- " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
- % str(x))
+ if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ try:
+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
+ except (ssl.SSLError, socket.error) as x:
+ # this fails on some older versions of OpenSSL (0.9.7l, for instance)
+ if support.verbose:
+ sys.stdout.write(
+ " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
+ % str(x))
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
@@ -886,7 +888,8 @@ else:
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True)
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
- try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
+ if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
@@ -899,7 +902,8 @@ else:
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True)
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
+ if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
diff --git a/Misc/NEWS b/Misc/NEWS
index 951a136..9f4d9a8 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -69,6 +69,8 @@ Core and Builtins
Library
-------
+- Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional.
+
- Issue #11164: Stop trying to use _xmlplus in the xml module.
- Issue #11927: SMTP_SSL now uses port 465 by default as documented. Patch
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 73a76bb..8ebdc9b 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -63,8 +63,10 @@ enum py_ssl_cert_requirements {
};
enum py_ssl_version {
+#ifndef OPENSSL_NO_SSL2
PY_SSL_VERSION_SSL2,
- PY_SSL_VERSION_SSL3,
+#endif
+ PY_SSL_VERSION_SSL3=1,
PY_SSL_VERSION_SSL23,
PY_SSL_VERSION_TLS1
};
@@ -306,8 +308,10 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
else if (proto_version == PY_SSL_VERSION_SSL3)
self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
+#ifndef OPENSSL_NO_SSL2
else if (proto_version == PY_SSL_VERSION_SSL2)
self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
+#endif
else if (proto_version == PY_SSL_VERSION_SSL23)
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
PySSL_END_ALLOW_THREADS
@@ -1787,8 +1791,10 @@ PyInit__ssl(void)
PY_SSL_CERT_REQUIRED);
/* protocol versions */
+#ifndef OPENSSL_NO_SSL2
PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
PY_SSL_VERSION_SSL2);
+#endif
PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
PY_SSL_VERSION_SSL3);
PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",