diff options
| author | Christian Heimes <christian@python.org> | 2016-09-10 20:43:48 (GMT) |
|---|---|---|
| committer | Christian Heimes <christian@python.org> | 2016-09-10 20:43:48 (GMT) |
| commit | 358cfd426ccc0fcd6a7940d306602138e76420ae (patch) | |
| tree | d57ee1b7dbe174fb49f35c4eac449e4404a96357 /Modules/_ssl.c | |
| parent | 70360194c768efb0b26d524d5b94d4da963d632a (diff) | |
| download | cpython-358cfd426ccc0fcd6a7940d306602138e76420ae.zip cpython-358cfd426ccc0fcd6a7940d306602138e76420ae.tar.gz cpython-358cfd426ccc0fcd6a7940d306602138e76420ae.tar.bz2 | |
Issue 28043: SSLContext has improved default settings
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
Diffstat (limited to 'Modules/_ssl.c')
| -rw-r--r-- | Modules/_ssl.c | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index b4fac44..d605405 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2407,6 +2407,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) PySSLContext *self; long options; SSL_CTX *ctx = NULL; + int result; #if defined(SSL_MODE_RELEASE_BUFFERS) unsigned long libver; #endif @@ -2470,8 +2471,38 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) options |= SSL_OP_NO_SSLv2; if (proto_version != PY_SSL_VERSION_SSL3) options |= SSL_OP_NO_SSLv3; + /* Minimal security flags for server and client side context. + * Client sockets ignore server-side parameters. */ +#ifdef SSL_OP_NO_COMPRESSION + options |= SSL_OP_NO_COMPRESSION; +#endif +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + options |= SSL_OP_CIPHER_SERVER_PREFERENCE; +#endif +#ifdef SSL_OP_SINGLE_DH_USE + options |= SSL_OP_SINGLE_DH_USE; +#endif +#ifdef SSL_OP_SINGLE_ECDH_USE + options |= SSL_OP_SINGLE_ECDH_USE; +#endif SSL_CTX_set_options(self->ctx, options); + /* A bare minimum cipher list without completly broken cipher suites. + * It's far from perfect but gives users a better head start. */ + if (proto_version != PY_SSL_VERSION_SSL2) { + result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:!MD5"); + } else { + /* SSLv2 needs MD5 */ + result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL"); + } + if (result == 0) { + Py_DECREF(self); + ERR_clear_error(); + PyErr_SetString(PySSLErrorObject, + "No cipher can be selected."); + return NULL; + } + #if defined(SSL_MODE_RELEASE_BUFFERS) /* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory usage for no cost at all. However, don't do this for OpenSSL versions |