diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-27 08:42:45 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-27 08:42:45 (GMT) |
| commit | d358e0554bc520768041652676ec8e6076f221a9 (patch) | |
| tree | dddbd92a0b1a033e8fc0e3e0b448d4eb31e1bff1 /Modules | |
| parent | 141e770e8f351726d983a489bdc81ce1a29b4005 (diff) | |
| download | cpython-d358e0554bc520768041652676ec8e6076f221a9.zip cpython-d358e0554bc520768041652676ec8e6076f221a9.tar.gz cpython-d358e0554bc520768041652676ec8e6076f221a9.tar.bz2 | |
Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_ssl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 4619cda..46f71e8 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -357,7 +357,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, } /* ssl compatibility */ - SSL_CTX_set_options(self->ctx, SSL_OP_ALL); + SSL_CTX_set_options(self->ctx, + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); verification_mode = SSL_VERIFY_NONE; if (certreq == PY_SSL_CERT_OPTIONAL) |