diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2014-01-09 18:52:12 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2014-01-09 18:52:12 (GMT) |
| commit | 3b2afbbf88cb8ba93542641f06c474aab13e50e6 (patch) | |
| tree | e54278bb123ab05a2443413e928be76e2c9137d0 /Modules/_ssl.c | |
| parent | 27b029bd001caf66cfb8c732ccab2253f3b64a4e (diff) | |
| download | cpython-3b2afbbf88cb8ba93542641f06c474aab13e50e6.zip cpython-3b2afbbf88cb8ba93542641f06c474aab13e50e6.tar.gz cpython-3b2afbbf88cb8ba93542641f06c474aab13e50e6.tar.bz2 | |
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
Diffstat (limited to 'Modules/_ssl.c')
| -rw-r--r-- | Modules/_ssl.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index ba64555..752b033 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -273,6 +273,7 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, char *errstr = NULL; int ret; int verification_mode; + long options; self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ if (self == NULL) @@ -372,8 +373,10 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, } /* ssl compatibility */ - SSL_CTX_set_options(self->ctx, - SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + if (proto_version != PY_SSL_VERSION_SSL2) + options |= SSL_OP_NO_SSLv2; + SSL_CTX_set_options(self->ctx, options); verification_mode = SSL_VERIFY_NONE; if (certreq == PY_SSL_CERT_OPTIONAL) |