cpython: 56f64ec9259f (original) (raw)

--- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -674,11 +674,11 @@ class ContextTests(unittest.TestCase): @skip_if_broken_ubuntu_ssl def test_options(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

   # OP_ALL | OP_NO_SSLv2 is the default value[](#l1.7)

   self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,[](#l1.8)

   # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value[](#l1.9)

   self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,[](#l1.10)
                    ctx.options)[](#l1.11)

   ctx.options |= ssl.OP_NO_SSLv3[](#l1.12)

   self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,[](#l1.13)

   ctx.options |= ssl.OP_NO_TLSv1[](#l1.14)

   self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1,[](#l1.15)
                    ctx.options)[](#l1.16)
   if can_clear_options():[](#l1.17)
       ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1[](#l1.18)

@@ -2172,17 +2172,17 @@ else: " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" % str(x)) if hasattr(ssl, 'PROTOCOL_SSLv3'):

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)[](#l1.23)

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)[](#l1.24)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)[](#l1.25)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)[](#l1.26)

if hasattr(ssl, 'PROTOCOL_SSLv3'):

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)[](#l1.29)

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)[](#l1.30)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)[](#l1.31)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)[](#l1.32)

if hasattr(ssl, 'PROTOCOL_SSLv3'):

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)[](#l1.35)

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)[](#l1.36)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)[](#l1.37)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)[](#l1.38)

@@ -2214,8 +2214,8 @@ else: try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) if no_sslv2_implies_sslv3_hello(): # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs

           try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True,[](#l1.44)

                              client_options=ssl.OP_NO_SSLv2)[](#l1.45)

           try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,[](#l1.46)

                              False, client_options=ssl.OP_NO_SSLv2)[](#l1.47)

@skip_if_broken_ubuntu_ssl def test_protocol_tlsv1(self):

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -107,6 +107,9 @@ Library at the end if the FileInput was opened with binary mode. Patch by Ryosuke Ito. +- Issue #25530: Disable the vulnerable SSLv3 protocol by default when creating

ssl.SSLContext. +

Issue #25569: Fix memory leak in SSLSocket.getpeercert().
Issue #21827: Fixed textwrap.dedent() for the case when largest common

--- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2037,6 +2037,8 @@ context_new(PyTypeObject *type, PyObject options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; if (proto_version != PY_SSL_VERSION_SSL2) options |= SSL_OP_NO_SSLv2;

if (proto_version != PY_SSL_VERSION_SSL3)
```
   options |= SSL_OP_NO_SSLv3;[](#l3.8)
```
SSL_CTX_set_options(self->ctx, options);

#ifndef OPENSSL_NO_ECDH