Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit cd3d7ca

Browse files
pitroupitrou
committed
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
1 parent 1064a13 commit cd3d7ca

3 files changed

Lines changed: 12 additions & 8 deletions

File tree

Lib/test/test_ssl.py

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -534,9 +534,7 @@ def test_ciphers(self):
534534
@skip_if_broken_ubuntu_ssl
535535
def test_options(self):
536536
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
537-
# OP_ALL is the default value
538-
self.assertEqual(ssl.OP_ALL, ctx.options)
539-
ctx.options |= ssl.OP_NO_SSLv2
537+
# OP_ALL | OP_NO_SSLv2 is the default value
540538
self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
541539
ctx.options)
542540
ctx.options |= ssl.OP_NO_SSLv3
@@ -1585,17 +1583,17 @@ def test_protocol_sslv2(self):
15851583
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
15861584
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
15871585
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
1588-
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
1586+
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
15891587
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
15901588
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
15911589
# SSLv23 client with specific SSL options
15921590
if no_sslv2_implies_sslv3_hello():
15931591
# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
15941592
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
15951593
client_options=ssl.OP_NO_SSLv2)
1596-
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
1594+
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
15971595
client_options=ssl.OP_NO_SSLv3)
1598-
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
1596+
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
15991597
client_options=ssl.OP_NO_TLSv1)
16001598

16011599
@skip_if_broken_ubuntu_ssl

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,9 @@ Core and Builtins
4343
Library
4444
-------
4545

46+
- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
47+
asked for.
48+
4649
- Issue #18960: The tokenize module now ignore the source encoding declaration
4750
on the second line if the first line contains anything except a comment.
4851

Modules/_ssl.c

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1737,6 +1737,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
17371737
char *kwlist[] = {"protocol", NULL};
17381738
PySSLContext *self;
17391739
int proto_version = PY_SSL_VERSION_SSL23;
1740+
long options;
17401741
SSL_CTX *ctx = NULL;
17411742

17421743
if (!PyArg_ParseTupleAndKeywords(
@@ -1782,8 +1783,10 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
17821783
#endif
17831784
/* Defaults */
17841785
SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
1785-
SSL_CTX_set_options(self->ctx,
1786-
SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
1786+
options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1787+
if (proto_version != PY_SSL_VERSION_SSL2)
1788+
options |= SSL_OP_NO_SSLv2;
1789+
SSL_CTX_set_options(self->ctx, options);
17871790

17881791
#define SID_CTX "Python"
17891792
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,

0 commit comments

Comments
 (0)