(original) (raw)

changeset: 99070:d80954d941c7 branch: 2.7 parent: 99066:10c3646b2d59 user: Benjamin Peterson benjamin@python.org date: Wed Nov 11 22:38:41 2015 -0800 files: Lib/test/test_ssl.py Misc/NEWS Modules/_ssl.c description: always set OP_NO_SSLv3 by default (closes #25530) diff -r 10c3646b2d59 -r d80954d941c7 Lib/test/test_ssl.py --- a/Lib/test/test_ssl.py Wed Nov 11 22:07:38 2015 -0800 +++ b/Lib/test/test_ssl.py Wed Nov 11 22:38:41 2015 -0800 @@ -714,11 +714,11 @@ @skip_if_broken_ubuntu_ssl def test_options(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # OP_ALL | OP_NO_SSLv2 is the default value - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, + # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value + self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, ctx.options) - ctx.options |= ssl.OP_NO_SSLv3 - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, + ctx.options |= ssl.OP_NO_TLSv1 + self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1, ctx.options) if can_clear_options(): ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1 @@ -2230,17 +2230,17 @@ " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" % str(x)) if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3') + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL) if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED) @@ -2272,8 +2272,8 @@ try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) if no_sslv2_implies_sslv3_hello(): # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs - try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3', - client_options=ssl.OP_NO_SSLv2) + try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, + False, client_options=ssl.OP_NO_SSLv2) @skip_if_broken_ubuntu_ssl def test_protocol_tlsv1(self): diff -r 10c3646b2d59 -r d80954d941c7 Misc/NEWS --- a/Misc/NEWS Wed Nov 11 22:07:38 2015 -0800 +++ b/Misc/NEWS Wed Nov 11 22:38:41 2015 -0800 @@ -49,6 +49,9 @@ Library ------- +- Issue #25530: Disable the vulnerable SSLv3 protocol by default when creating + ssl.SSLContext. + - Issue #25569: Fix memory leak in SSLSocket.getpeercert(). - Issue #7759: Fixed the mhlib module on filesystems that doesn't support diff -r 10c3646b2d59 -r d80954d941c7 Modules/_ssl.c --- a/Modules/_ssl.c Wed Nov 11 22:07:38 2015 -0800 +++ b/Modules/_ssl.c Wed Nov 11 22:38:41 2015 -0800 @@ -2046,6 +2046,8 @@ options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; if (proto_version != PY_SSL_VERSION_SSL2) options |= SSL_OP_NO_SSLv2; + if (proto_version != PY_SSL_VERSION_SSL3) + options |= SSL_OP_NO_SSLv3; SSL_CTX_set_options(self->ctx, options); #ifndef OPENSSL_NO_ECDH /benjamin@python.org