diff options
| author | stratakis <cstratak@redhat.com> | 2019-02-15 14:24:11 (GMT) |
|---|---|---|
| committer | Victor Stinner <vstinner@redhat.com> | 2019-02-15 14:24:11 (GMT) |
| commit | b8eaec697a2b5d9d2def2950a0aa50e8ffcf1059 (patch) | |
| tree | 3999b0fe5427d530a0a0aec871db684e45580cf4 /Modules | |
| parent | c49f63c1761ce03df7850b9e0b31a18c432dac64 (diff) | |
| download | cpython-b8eaec697a2b5d9d2def2950a0aa50e8ffcf1059.zip cpython-b8eaec697a2b5d9d2def2950a0aa50e8ffcf1059.tar.gz cpython-b8eaec697a2b5d9d2def2950a0aa50e8ffcf1059.tar.bz2 | |
[2.7] bpo-28043: improved default settings for SSLContext (GH-10608)
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE,
OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except
for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3)
are set by default. The initial cipher suite list contains only
HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
(cherry picked from commit 358cfd426ccc0fcd6a7940d306602138e76420ae)
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_ssl.c | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 19bb120..80078aa 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2181,6 +2181,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) int proto_version = PY_SSL_VERSION_TLS; long options; SSL_CTX *ctx = NULL; + int result; if (!PyArg_ParseTupleAndKeywords( args, kwds, "i:_SSLContext", kwlist, @@ -2245,8 +2246,38 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) options |= SSL_OP_NO_SSLv2; if (proto_version != PY_SSL_VERSION_SSL3) options |= SSL_OP_NO_SSLv3; + /* Minimal security flags for server and client side context. + * Client sockets ignore server-side parameters. */ +#ifdef SSL_OP_NO_COMPRESSION + options |= SSL_OP_NO_COMPRESSION; +#endif +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + options |= SSL_OP_CIPHER_SERVER_PREFERENCE; +#endif +#ifdef SSL_OP_SINGLE_DH_USE + options |= SSL_OP_SINGLE_DH_USE; +#endif +#ifdef SSL_OP_SINGLE_ECDH_USE + options |= SSL_OP_SINGLE_ECDH_USE; +#endif SSL_CTX_set_options(self->ctx, options); + /* A bare minimum cipher list without completly broken cipher suites. + * It's far from perfect but gives users a better head start. */ + if (proto_version != PY_SSL_VERSION_SSL2) { + result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:!MD5"); + } else { + /* SSLv2 needs MD5 */ + result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL"); + } + if (result == 0) { + Py_DECREF(self); + ERR_clear_error(); + PyErr_SetString(PySSLErrorObject, + "No cipher can be selected."); + return NULL; + } + #if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use prime256v1 by default. This is Apache mod_ssl's initialization |