[Python-checkins] cpython (merge 3.3 -> default): Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly

Thu Jan 9 20:09:15 CET 2014

http://hg.python.org/cpython/rev/e02288de43ed
changeset: 88378:e02288de43ed
parent: 88374:2af308f79727
parent: 88377:da8486e3e0eb
user: Antoine Pitrou <solipsis at pitrou.net>
date: Thu Jan 09 20:09:03 2014 +0100
summary:
 Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
files:
 Lib/test/test_ssl.py | 10 ++++------
 Misc/NEWS | 3 +++
 Modules/_ssl.c | 9 +++++----
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -670,9 +670,7 @@
 @skip_if_broken_ubuntu_ssl
 def test_options(self):
 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
- # OP_ALL is the default value
- self.assertEqual(ssl.OP_ALL, ctx.options)
- ctx.options |= ssl.OP_NO_SSLv2
+ # OP_ALL | OP_NO_SSLv2 is the default value
 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
 ctx.options)
 ctx.options |= ssl.OP_NO_SSLv3
@@ -2095,7 +2093,7 @@
 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
- try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
+ try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
 # SSLv23 client with specific SSL options
@@ -2103,9 +2101,9 @@
 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
 client_options=ssl.OP_NO_SSLv2)
- try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
+ try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
 client_options=ssl.OP_NO_SSLv3)
- try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
+ try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
 client_options=ssl.OP_NO_TLSv1)
 
 @skip_if_broken_ubuntu_ssl
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -25,6 +25,9 @@
 Library
 -------
 
+- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
+ asked for.
+
 - Issue #18960: The tokenize module now ignore the source encoding declaration
 on the second line if the first line contains anything except a comment.
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -134,9 +134,7 @@
 };
 
 enum py_ssl_version {
-#ifndef OPENSSL_NO_SSL2
 PY_SSL_VERSION_SSL2,
-#endif
 PY_SSL_VERSION_SSL3=1,
 PY_SSL_VERSION_SSL23,
 #if HAVE_TLSv1_2
@@ -1999,6 +1997,7 @@
 char *kwlist[] = {"protocol", NULL};
 PySSLContext *self;
 int proto_version = PY_SSL_VERSION_SSL23;
+ long options;
 SSL_CTX *ctx = NULL;
 
 if (!PyArg_ParseTupleAndKeywords(
@@ -2055,8 +2054,10 @@
 self->check_hostname = 0;
 /* Defaults */
 SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
- SSL_CTX_set_options(self->ctx,
- SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ if (proto_version != PY_SSL_VERSION_SSL2)
+ options |= SSL_OP_NO_SSLv2;
+ SSL_CTX_set_options(self->ctx, options);
 
 #define SID_CTX "Python"
 SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
-- 
Repository URL: http://hg.python.org/cpython
