diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-27 08:53:29 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-27 08:53:29 (GMT) |
| commit | 9e2e5329dc81b56c987fe33c84f3a4c6f368f413 (patch) | |
| tree | b89012d31564b15dd1507a5db86b97f2f1ce4689 /Modules | |
| parent | c9f71481d407d08a3c51888f3bfe8575964be7ab (diff) | |
| parent | 3f366314e831e0babca220abd734f8ae02776925 (diff) | |
| download | cpython-9e2e5329dc81b56c987fe33c84f3a4c6f368f413.zip cpython-9e2e5329dc81b56c987fe33c84f3a4c6f368f413.tar.gz cpython-9e2e5329dc81b56c987fe33c84f3a4c6f368f413.tar.bz2 | |
Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_ssl.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 3e5ecfd..3e2e264 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1566,7 +1566,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) self->ctx = ctx; /* Defaults */ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); - SSL_CTX_set_options(self->ctx, SSL_OP_ALL); + SSL_CTX_set_options(self->ctx, + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, @@ -2533,7 +2534,8 @@ PyInit__ssl(void) PY_SSL_VERSION_TLS1); /* protocol options */ - PyModule_AddIntConstant(m, "OP_ALL", SSL_OP_ALL); + PyModule_AddIntConstant(m, "OP_ALL", + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2); PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3); PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1); |