Message229929
| Author |
vstinner |
| Recipients |
alex, christian.heimes, dstufft, giampaolo.rodola, janssen, mbasti, pitrou, vstinner |
| Date |
2014年10月24日.15:13:04 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1414163585.04.0.660417851276.issue22717@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
> 317 self->ctx->options &= ~(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
I don't see this line in Python 2.7.8 vanilla:
https://hg.python.org/cpython/file/ee879c0ffa11/Modules/_ssl.c
It looks like Fedora patched the source code:
http://pkgs.fedoraproject.org/cgit/python.git/tree/00195-enable-sslv23-in-ssl.patch
I see an obvious bug in the Fedora patch: it dereferences self->ctx before checking if self->ctx is NULL.
diff -up Python-2.7.8/Modules/_ssl.c.orig Python-2.7.8/Modules/_ssl.c
--- Python-2.7.8/Modules/_ssl.c.orig 2014年07月17日 14:17:32.584362667 +0200
+++ Python-2.7.8/Modules/_ssl.c 2014年07月17日 14:17:38.215405930 +0200
@@ -312,8 +312,10 @@ newPySSLObject(PySocketSockObject *Sock,
else if (proto_version == PY_SSL_VERSION_SSL2)
self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
#endif
- else if (proto_version == PY_SSL_VERSION_SSL23)
+ else if (proto_version == PY_SSL_VERSION_SSL23) {
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
+ self->ctx->options &= ~(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ }
PySSL_END_ALLOW_THREADS
if (self->ctx == NULL) { |
|