Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 78ace81

Browse files
pitroupitrou
committed
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2 parents 5940b92 + 2f7c316 commit 78ace81

3 files changed

Lines changed: 12 additions & 10 deletions

File tree

Lib/test/test_ssl.py

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -670,9 +670,7 @@ def test_ciphers(self):
670670
@skip_if_broken_ubuntu_ssl
671671
def test_options(self):
672672
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
673-
# OP_ALL is the default value
674-
self.assertEqual(ssl.OP_ALL, ctx.options)
675-
ctx.options |= ssl.OP_NO_SSLv2
673+
# OP_ALL | OP_NO_SSLv2 is the default value
676674
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
677675
ctx.options)
678676
ctx.options |= ssl.OP_NO_SSLv3
@@ -2095,17 +2093,17 @@ def test_protocol_sslv2(self):
20952093
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
20962094
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
20972095
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
2098-
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
2096+
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
20992097
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
21002098
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
21012099
# SSLv23 client with specific SSL options
21022100
if no_sslv2_implies_sslv3_hello():
21032101
# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
21042102
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
21052103
client_options=ssl.OP_NO_SSLv2)
2106-
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
2104+
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
21072105
client_options=ssl.OP_NO_SSLv3)
2108-
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
2106+
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
21092107
client_options=ssl.OP_NO_TLSv1)
21102108

21112109
@skip_if_broken_ubuntu_ssl

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,9 @@ Core and Builtins
2525
Library
2626
-------
2727

28+
- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
29+
asked for.
30+
2831
- Issue #18960: The tokenize module now ignore the source encoding declaration
2932
on the second line if the first line contains anything except a comment.
3033

Modules/_ssl.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -134,9 +134,7 @@ enum py_ssl_cert_requirements {
134134
};
135135

136136
enum py_ssl_version {
137-
#ifndef OPENSSL_NO_SSL2
138137
PY_SSL_VERSION_SSL2,
139-
#endif
140138
PY_SSL_VERSION_SSL3=1,
141139
PY_SSL_VERSION_SSL23,
142140
#if HAVE_TLSv1_2
@@ -1999,6 +1997,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
19991997
char *kwlist[] = {"protocol", NULL};
20001998
PySSLContext *self;
20011999
int proto_version = PY_SSL_VERSION_SSL23;
2000+
long options;
20022001
SSL_CTX *ctx = NULL;
20032002

20042003
if (!PyArg_ParseTupleAndKeywords(
@@ -2055,8 +2054,10 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
20552054
self->check_hostname = 0;
20562055
/* Defaults */
20572056
SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
2058-
SSL_CTX_set_options(self->ctx,
2059-
SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
2057+
options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
2058+
if (proto_version != PY_SSL_VERSION_SSL2)
2059+
options |= SSL_OP_NO_SSLv2;
2060+
SSL_CTX_set_options(self->ctx, options);
20602061

20612062
#define SID_CTX "Python"
20622063
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,

0 commit comments

Comments
 (0)