ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME

author: Christian Heimes <christian@cheimes.de> 2013-11-28 07:06:54 (GMT)
committer: Christian Heimes <christian@cheimes.de> 2013-11-28 07:06:54 (GMT)
commit: dec813f118f7abffa24a9a0431dea125a6096518 (patch)
tree: 60c8cbe047f112437953a0b1bab0ee9cf3857b2f /Lib/ssl.py
parent: 50a5dad608eb4e582a30726c2214b6578d6e11db (diff)
download: cpython-dec813f118f7abffa24a9a0431dea125a6096518.zip
cpython-dec813f118f7abffa24a9a0431dea125a6096518.tar.gz
cpython-dec813f118f7abffa24a9a0431dea125a6096518.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 72e6a6e..b29b905 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -383,6 +383,8 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
     context = SSLContext(PROTOCOL_TLSv1)
     # SSLv2 considered harmful.
     context.options |= OP_NO_SSLv2
+    # disable compression to prevent CRIME attacks (OpenSSL 1.0+)
+    context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0)
     # disallow ciphers with known vulnerabilities
     context.set_ciphers(_RESTRICTED_CIPHERS)
     # verify certs in client mode
author	Christian Heimes <christian@cheimes.de>	2013-11-28 07:06:54 (GMT)
committer	Christian Heimes <christian@cheimes.de>	2013-11-28 07:06:54 (GMT)
commit	dec813f118f7abffa24a9a0431dea125a6096518 (patch)
tree	60c8cbe047f112437953a0b1bab0ee9cf3857b2f /Lib/ssl.py
parent	50a5dad608eb4e582a30726c2214b6578d6e11db (diff)
download	cpython-dec813f118f7abffa24a9a0431dea125a6096518.zip cpython-dec813f118f7abffa24a9a0431dea125a6096518.tar.gz cpython-dec813f118f7abffa24a9a0431dea125a6096518.tar.bz2