From cd3d7cabef64267da43519a832a7429c1a8a15f9 Mon Sep 17 00:00:00 2001 From: Antoine Pitrou Date: Thu, 9 Jan 2014 20:02:20 +0100 Subject: Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for. --- Lib/test/test_ssl.py | 10 ++++------ Misc/NEWS | 3 +++ Modules/_ssl.c | 7 +++++-- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 104a1ed..1dd6829 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -534,9 +534,7 @@ class ContextTests(unittest.TestCase): @skip_if_broken_ubuntu_ssl def test_options(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # OP_ALL is the default value - self.assertEqual(ssl.OP_ALL, ctx.options) - ctx.options |= ssl.OP_NO_SSLv2 + # OP_ALL | OP_NO_SSLv2 is the default value self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, ctx.options) ctx.options |= ssl.OP_NO_SSLv3 @@ -1585,7 +1583,7 @@ else: try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True) try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED) - try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True) + try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False) try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False) try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False) # SSLv23 client with specific SSL options @@ -1593,9 +1591,9 @@ else: # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False, client_options=ssl.OP_NO_SSLv2) - try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True, + try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False, client_options=ssl.OP_NO_SSLv3) - try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True, + try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False, client_options=ssl.OP_NO_TLSv1) @skip_if_broken_ubuntu_ssl diff --git a/Misc/NEWS b/Misc/NEWS index 6bf5a30..1fcae77 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -43,6 +43,9 @@ Core and Builtins Library ------- +- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly + asked for. + - Issue #18960: The tokenize module now ignore the source encoding declaration on the second line if the first line contains anything except a comment. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 4b02d8d..8789d00 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1737,6 +1737,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) char *kwlist[] = {"protocol", NULL}; PySSLContext *self; int proto_version = PY_SSL_VERSION_SSL23; + long options; SSL_CTX *ctx = NULL; if (!PyArg_ParseTupleAndKeywords( @@ -1782,8 +1783,10 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) #endif /* Defaults */ SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); - SSL_CTX_set_options(self->ctx, - SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + if (proto_version != PY_SSL_VERSION_SSL2) + options |= SSL_OP_NO_SSLv2; + SSL_CTX_set_options(self->ctx, options); #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, -- cgit v0.12