diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-27 08:50:45 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-27 08:50:45 (GMT) |
| commit | 3f366314e831e0babca220abd734f8ae02776925 (patch) | |
| tree | 1840944ff83b8298a2e52567c97102ea65ff3397 /Modules/_ssl.c | |
| parent | 722db7bdba74c3c82ecd8b2d44daf1e2508b6734 (diff) | |
| parent | f2bf8a6ac51530e14d798a03c8e950dd934d85cd (diff) | |
| download | cpython-3f366314e831e0babca220abd734f8ae02776925.zip cpython-3f366314e831e0babca220abd734f8ae02776925.tar.gz cpython-3f366314e831e0babca220abd734f8ae02776925.tar.bz2 | |
Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
Diffstat (limited to 'Modules/_ssl.c')
| -rw-r--r-- | Modules/_ssl.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 5419059..751e26e 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1481,7 +1481,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) self->ctx = ctx; /* Defaults */ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); - SSL_CTX_set_options(self->ctx, SSL_OP_ALL); + SSL_CTX_set_options(self->ctx, + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, @@ -2143,7 +2144,8 @@ PyInit__ssl(void) PY_SSL_VERSION_TLS1); /* protocol options */ - PyModule_AddIntConstant(m, "OP_ALL", SSL_OP_ALL); + PyModule_AddIntConstant(m, "OP_ALL", + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2); PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3); PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1); |