merge 3.4 (#25530)

author: Benjamin Peterson <benjamin@python.org> 2015-11-12 06:45:22 (GMT)
committer: Benjamin Peterson <benjamin@python.org> 2015-11-12 06:45:22 (GMT)
commit: 45bde5d2ee58ac4887b034569c2ee930b3cfb8af (patch)
tree: ee7a1a5928c47f94f8407c270d967c4a9526e081
parent: 86429bd1749e475145198b2d1498ef43b2597ab2 (diff)
parent: a9dcdabccb1a1f7c76030c0b188ecaf7ab599e57 (diff)
download: cpython-45bde5d2ee58ac4887b034569c2ee930b3cfb8af.zip
cpython-45bde5d2ee58ac4887b034569c2ee930b3cfb8af.tar.gz
cpython-45bde5d2ee58ac4887b034569c2ee930b3cfb8af.tar.bz2
3 files changed, 14 insertions, 9 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index f314ff4..548feeb 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -784,12 +784,12 @@ class ContextTests(unittest.TestCase):
     @skip_if_broken_ubuntu_ssl
     def test_options(self):
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-        # OP_ALL | OP_NO_SSLv2 is the default value
-        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
-                         ctx.options)
-        ctx.options |= ssl.OP_NO_SSLv3
+        # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
         self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
                          ctx.options)
+        ctx.options |= ssl.OP_NO_TLSv1
+        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1,
+                         ctx.options)
         if can_clear_options():
             ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1
             self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3,
@@ -2451,17 +2451,17 @@ else:
                             " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
                             % str(x))
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3')
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
 
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
 
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
 
@@ -2493,8 +2493,8 @@ else:
             try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
             if no_sslv2_implies_sslv3_hello():
                 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
-                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3',
-                                   client_options=ssl.OP_NO_SSLv2)
+                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,
+                                   False, client_options=ssl.OP_NO_SSLv2)
 
         @skip_if_broken_ubuntu_ssl
         def test_protocol_tlsv1(self):
diff --git a/Misc/NEWS b/Misc/NEWS
index 85dd158..c79ac83 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -229,6 +229,9 @@ Library
 - Issue #24881: Fixed setting binary mode in Python implementation of FileIO
   on Windows and Cygwin.  Patch from Akira Li.
 
+- Issue #25530: Disable the vulnerable SSLv3 protocol by default when creating
+  ssl.SSLContext.
+
 - Issue #25569: Fix memory leak in SSLSocket.getpeercert().
 
 - Issue #25471: Sockets returned from accept() shouldn't appear to be
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index a918586..b04a637 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2276,6 +2276,8 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
     options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
     if (proto_version != PY_SSL_VERSION_SSL2)
         options |= SSL_OP_NO_SSLv2;
+    if (proto_version != PY_SSL_VERSION_SSL3)
+        options |= SSL_OP_NO_SSLv3;
     SSL_CTX_set_options(self->ctx, options);
 
 #ifndef OPENSSL_NO_ECDH
author	Benjamin Peterson <benjamin@python.org>	2015-11-12 06:45:22 (GMT)
committer	Benjamin Peterson <benjamin@python.org>	2015-11-12 06:45:22 (GMT)
commit	45bde5d2ee58ac4887b034569c2ee930b3cfb8af (patch)
tree	ee7a1a5928c47f94f8407c270d967c4a9526e081
parent	86429bd1749e475145198b2d1498ef43b2597ab2 (diff)
parent	a9dcdabccb1a1f7c76030c0b188ecaf7ab599e57 (diff)
download	cpython-45bde5d2ee58ac4887b034569c2ee930b3cfb8af.zip cpython-45bde5d2ee58ac4887b034569c2ee930b3cfb8af.tar.gz cpython-45bde5d2ee58ac4887b034569c2ee930b3cfb8af.tar.bz2