cpython: d80954d941c7 (original) (raw)

--- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -714,11 +714,11 @@ class ContextTests(unittest.TestCase): @skip_if_broken_ubuntu_ssl def test_options(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

   # OP_ALL | OP_NO_SSLv2 is the default value[](#l1.7)

   self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,[](#l1.8)

   # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value[](#l1.9)

   self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,[](#l1.10)
                    ctx.options)[](#l1.11)

   ctx.options |= ssl.OP_NO_SSLv3[](#l1.12)

   self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,[](#l1.13)

   ctx.options |= ssl.OP_NO_TLSv1[](#l1.14)

   self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1,[](#l1.15)
                    ctx.options)[](#l1.16)
   if can_clear_options():[](#l1.17)
       ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1[](#l1.18)

@@ -2230,17 +2230,17 @@ else: " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" % str(x)) if hasattr(ssl, 'PROTOCOL_SSLv3'):

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3')[](#l1.23)

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)[](#l1.24)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)[](#l1.25)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')[](#l1.26)

if hasattr(ssl, 'PROTOCOL_SSLv3'):

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)[](#l1.29)

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)[](#l1.30)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)[](#l1.31)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)[](#l1.32)

if hasattr(ssl, 'PROTOCOL_SSLv3'):

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)[](#l1.35)

           try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)[](#l1.36)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)[](#l1.37)
       try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)[](#l1.38)

@@ -2272,8 +2272,8 @@ else: try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) if no_sslv2_implies_sslv3_hello(): # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs

           try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3',[](#l1.44)

                              client_options=ssl.OP_NO_SSLv2)[](#l1.45)

           try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,[](#l1.46)

                              False, client_options=ssl.OP_NO_SSLv2)[](#l1.47)

@skip_if_broken_ubuntu_ssl def test_protocol_tlsv1(self):

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -49,6 +49,9 @@ Core and Builtins Library ------- +- Issue #25530: Disable the vulnerable SSLv3 protocol by default when creating

ssl.SSLContext. +

Issue #25569: Fix memory leak in SSLSocket.getpeercert().
Issue #7759: Fixed the mhlib module on filesystems that doesn't support

--- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2046,6 +2046,8 @@ context_new(PyTypeObject *type, PyObject options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; if (proto_version != PY_SSL_VERSION_SSL2) options |= SSL_OP_NO_SSLv2;

if (proto_version != PY_SSL_VERSION_SSL3)
```
   options |= SSL_OP_NO_SSLv3;[](#l3.8)
```
SSL_CTX_set_options(self->ctx, options);

#ifndef OPENSSL_NO_ECDH