[Python-checkins] cpython: Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional

victor.stinner python-checkins at python.org
Mon May 9 00:43:45 CEST 2011 

http://hg.python.org/cpython/rev/5296c3e2f166
changeset: 69945:5296c3e2f166
user: Victor Stinner <victor.stinner at haypocalc.com>
date: Mon May 09 00:42:58 2011 +0200
summary:
 Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
files:
 Doc/library/ssl.rst | 3 +
 Lib/ssl.py | 26 +++++++------
 Lib/test/test_ssl.py | 57 +++++++++++++++++++------------
 Misc/NEWS | 2 +
 Modules/_ssl.c | 8 +++-
 5 files changed, 60 insertions(+), 36 deletions(-)
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -292,6 +292,9 @@
 
 Selects SSL version 2 as the channel encryption protocol.
 
+ This protocol is not available if OpenSSL is compiled with OPENSSL_NO_SSL2
+ flag.
+
 .. warning::
 
 SSL version 2 is insecure. Its use is highly discouraged.
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -62,8 +62,6 @@
 from _ssl import OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_INFO, OPENSSL_VERSION
 from _ssl import _SSLContext, SSLError
 from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
-from _ssl import (PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23,
- PROTOCOL_TLSv1)
 from _ssl import OP_ALL, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1
 from _ssl import RAND_status, RAND_egd, RAND_add
 from _ssl import (
@@ -78,6 +76,19 @@
 SSL_ERROR_INVALID_ERROR_CODE,
 )
 from _ssl import HAS_SNI
+from _ssl import (PROTOCOL_SSLv3, PROTOCOL_SSLv23,
+ PROTOCOL_TLSv1)
+_PROTOCOL_NAMES = {
+ PROTOCOL_TLSv1: "TLSv1",
+ PROTOCOL_SSLv23: "SSLv23",
+ PROTOCOL_SSLv3: "SSLv3",
+}
+try:
+ from _ssl import PROTOCOL_SSLv2
+except ImportError:
+ pass
+else:
+ _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
 
 from socket import getnameinfo as _getnameinfo
 from socket import error as socket_error
@@ -552,13 +563,4 @@
 return DER_cert_to_PEM_cert(dercert)
 
 def get_protocol_name(protocol_code):
- if protocol_code == PROTOCOL_TLSv1:
- return "TLSv1"
- elif protocol_code == PROTOCOL_SSLv23:
- return "SSLv23"
- elif protocol_code == PROTOCOL_SSLv2:
- return "SSLv2"
- elif protocol_code == PROTOCOL_SSLv3:
- return "SSLv3"
- else:
- return "<unknown>"
+ return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -21,9 +21,11 @@
 ssl = support.import_module("ssl")
 
 PROTOCOLS = [
- ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3,
+ ssl.PROTOCOL_SSLv3,
 ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1
 ]
+if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ PROTOCOLS.append(ssl.PROTOCOL_SSLv2)
 
 HOST = support.HOST
 
@@ -67,22 +69,25 @@
 
 # Issue #9415: Ubuntu hijacks their OpenSSL and forcefully disables SSLv2
 def skip_if_broken_ubuntu_ssl(func):
- @functools.wraps(func)
- def f(*args, **kwargs):
- try:
- ssl.SSLContext(ssl.PROTOCOL_SSLv2)
- except ssl.SSLError:
- if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and
- platform.linux_distribution() == ('debian', 'squeeze/sid', '')):
- raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour")
- return func(*args, **kwargs)
- return f
+ if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ @functools.wraps(func)
+ def f(*args, **kwargs):
+ try:
+ ssl.SSLContext(ssl.PROTOCOL_SSLv2)
+ except ssl.SSLError:
+ if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and
+ platform.linux_distribution() == ('debian', 'squeeze/sid', '')):
+ raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour")
+ return func(*args, **kwargs)
+ return f
+ else:
+ return func
 
 
 class BasicSocketTests(unittest.TestCase):
 
 def test_constants(self):
- ssl.PROTOCOL_SSLv2
+ #ssl.PROTOCOL_SSLv2
 ssl.PROTOCOL_SSLv23
 ssl.PROTOCOL_SSLv3
 ssl.PROTOCOL_TLSv1
@@ -310,7 +315,8 @@
 
 @skip_if_broken_ubuntu_ssl
 def test_constructor(self):
- ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2)
+ if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2)
 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
@@ -1204,6 +1210,8 @@
 t.join()
 
 @skip_if_broken_ubuntu_ssl
+ @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'),
+ "OpenSSL is compiled without SSLv2 support")
 def test_protocol_sslv2(self):
 """Connecting to an SSLv2 server with various client options"""
 if support.verbose:
@@ -1229,14 +1237,15 @@
 """Connecting to an SSLv23 server with various client options"""
 if support.verbose:
 sys.stdout.write("\n")
- try:
- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
- except (ssl.SSLError, socket.error) as x:
- # this fails on some older versions of OpenSSL (0.9.7l, for instance)
- if support.verbose:
- sys.stdout.write(
- " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
- % str(x))
+ if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ try:
+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
+ except (ssl.SSLError, socket.error) as x:
+ # this fails on some older versions of OpenSSL (0.9.7l, for instance)
+ if support.verbose:
+ sys.stdout.write(
+ " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
+ % str(x))
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
@@ -1267,7 +1276,8 @@
 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True)
 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
- try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
+ if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
 if no_sslv2_implies_sslv3_hello():
@@ -1283,7 +1293,8 @@
 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True)
 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
+ if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
 
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -140,6 +140,8 @@
 Library
 -------
 
+- Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional.
+
 - Issue #8407: The signal handler writes the signal number as a single byte
 instead of a nul byte into the wakeup file descriptor. So it is possible to
 wait more than one signal and know which signals were raised.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -63,8 +63,10 @@
 };
 
 enum py_ssl_version {
+#ifndef OPENSSL_NO_SSL2
 PY_SSL_VERSION_SSL2,
- PY_SSL_VERSION_SSL3,
+#endif
+ PY_SSL_VERSION_SSL3=1,
 PY_SSL_VERSION_SSL23,
 PY_SSL_VERSION_TLS1
 };
@@ -1447,8 +1449,10 @@
 ctx = SSL_CTX_new(TLSv1_method());
 else if (proto_version == PY_SSL_VERSION_SSL3)
 ctx = SSL_CTX_new(SSLv3_method());
+#ifndef OPENSSL_NO_SSL2
 else if (proto_version == PY_SSL_VERSION_SSL2)
 ctx = SSL_CTX_new(SSLv2_method());
+#endif
 else if (proto_version == PY_SSL_VERSION_SSL23)
 ctx = SSL_CTX_new(SSLv23_method());
 else
@@ -2107,8 +2111,10 @@
 PY_SSL_CERT_REQUIRED);
 
 /* protocol versions */
+#ifndef OPENSSL_NO_SSL2
 PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
 PY_SSL_VERSION_SSL2);
+#endif
 PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
 PY_SSL_VERSION_SSL3);
 PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list

AltStyle によって変換されたページ (->オリジナル) /