Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.

author: Antoine Pitrou <solipsis@pitrou.net> 2014-01-09 19:09:03 (GMT)
committer: Antoine Pitrou <solipsis@pitrou.net> 2014-01-09 19:09:03 (GMT)
commit: 78ace81c93568da30c789f85f8a8ebafb2ed89b2 (patch)
tree: a5c5ff8b7c238d29d7dbd92ddca8ef37bbb04077 /Lib/test/test_ssl.py
parent: 5940b929095173be65c9faf04f4bdf429742c8c4 (diff)
parent: 2f7c31678a85f599af30b983ecb8321f225c3f15 (diff)
download: cpython-78ace81c93568da30c789f85f8a8ebafb2ed89b2.zip
cpython-78ace81c93568da30c789f85f8a8ebafb2ed89b2.tar.gz
cpython-78ace81c93568da30c789f85f8a8ebafb2ed89b2.tar.bz2
1 files changed, 4 insertions, 6 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 14d3cc1..34e8676 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -670,9 +670,7 @@ class ContextTests(unittest.TestCase):
     @skip_if_broken_ubuntu_ssl
     def test_options(self):
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-        # OP_ALL is the default value
-        self.assertEqual(ssl.OP_ALL, ctx.options)
-        ctx.options |= ssl.OP_NO_SSLv2
+        # OP_ALL | OP_NO_SSLv2 is the default value
         self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
                          ctx.options)
         ctx.options |= ssl.OP_NO_SSLv3
@@ -2095,7 +2093,7 @@ else:
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
-            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
+            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
             # SSLv23 client with specific SSL options
@@ -2103,9 +2101,9 @@ else:
                 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
                 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
                                    client_options=ssl.OP_NO_SSLv2)
-            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
+            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
                                client_options=ssl.OP_NO_SSLv3)
-            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
+            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
                                client_options=ssl.OP_NO_TLSv1)
 
         @skip_if_broken_ubuntu_ssl
author	Antoine Pitrou <solipsis@pitrou.net>	2014-01-09 19:09:03 (GMT)
committer	Antoine Pitrou <solipsis@pitrou.net>	2014-01-09 19:09:03 (GMT)
commit	78ace81c93568da30c789f85f8a8ebafb2ed89b2 (patch)
tree	a5c5ff8b7c238d29d7dbd92ddca8ef37bbb04077 /Lib/test/test_ssl.py
parent	5940b929095173be65c9faf04f4bdf429742c8c4 (diff)
parent	2f7c31678a85f599af30b983ecb8321f225c3f15 (diff)
download	cpython-78ace81c93568da30c789f85f8a8ebafb2ed89b2.zip cpython-78ace81c93568da30c789f85f8a8ebafb2ed89b2.tar.gz cpython-78ace81c93568da30c789f85f8a8ebafb2ed89b2.tar.bz2