diff options
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/_ssl.c | 6 |
2 files changed, 7 insertions, 2 deletions
@@ -111,6 +111,9 @@ Core and Builtins Library ------- +- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC + IV attack countermeasure. + - Issue #13772: In os.symlink() under Windows, do not try to guess the link target's type (file or directory). The detection was buggy and made the call non-atomic (therefore prone to race conditions). diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 5419059..751e26e 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1481,7 +1481,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) self->ctx = ctx; /* Defaults */ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); - SSL_CTX_set_options(self->ctx, SSL_OP_ALL); + SSL_CTX_set_options(self->ctx, + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, @@ -2143,7 +2144,8 @@ PyInit__ssl(void) PY_SSL_VERSION_TLS1); /* protocol options */ - PyModule_AddIntConstant(m, "OP_ALL", SSL_OP_ALL); + PyModule_AddIntConstant(m, "OP_ALL", + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2); PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3); PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1); |