diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-27 08:48:47 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-27 08:48:47 (GMT) |
| commit | f2bf8a6ac51530e14d798a03c8e950dd934d85cd (patch) | |
| tree | 3a1cc25e0096d15d7158f43ceb0a8b786b04b17b /Modules | |
| parent | 889bb2969d00a548279c7e4dd237c23b100548e2 (diff) | |
| download | cpython-f2bf8a6ac51530e14d798a03c8e950dd934d85cd.zip cpython-f2bf8a6ac51530e14d798a03c8e950dd934d85cd.tar.gz cpython-f2bf8a6ac51530e14d798a03c8e950dd934d85cd.tar.bz2 | |
Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_ssl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 8ebdc9b..16fbb4d 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -365,7 +365,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, } /* ssl compatibility */ - SSL_CTX_set_options(self->ctx, SSL_OP_ALL); + SSL_CTX_set_options(self->ctx, + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); verification_mode = SSL_VERIFY_NONE; if (certreq == PY_SSL_CERT_OPTIONAL) |