diff options
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/_ssl.c | 6 |
2 files changed, 7 insertions, 2 deletions
@@ -461,6 +461,9 @@ Core and Builtins Library ------- +- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC + IV attack countermeasure. + - Issue #13847: time.localtime() and time.gmtime() now raise an OSError instead of ValueError on failure. time.ctime() and time.asctime() now raises an OSError if localtime() failed. time.clock() now raises a RuntimeError if the diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 3e5ecfd..3e2e264 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1566,7 +1566,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) self->ctx = ctx; /* Defaults */ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); - SSL_CTX_set_options(self->ctx, SSL_OP_ALL); + SSL_CTX_set_options(self->ctx, + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, @@ -2533,7 +2534,8 @@ PyInit__ssl(void) PY_SSL_VERSION_TLS1); /* protocol options */ - PyModule_AddIntConstant(m, "OP_ALL", SSL_OP_ALL); + PyModule_AddIntConstant(m, "OP_ALL", + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2); PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3); PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1); |