[Python-checkins] cpython (merge 3.5 -> default): merge 3.5 (#25530)

benjamin.peterson python-checkins at python.org
Thu Nov 12 01:45:47 EST 2015 

https://hg.python.org/cpython/rev/2899acbd2b46
changeset: 99073:2899acbd2b46
parent: 99069:fb55b1ab43fc
parent: 99072:d1737db0f1b2
user: Benjamin Peterson <benjamin at python.org>
date: Wed Nov 11 22:45:36 2015 -0800
summary:
 merge 3.5 (#25530)
files:
 Lib/test/test_ssl.py | 18 +++++++++---------
 Misc/NEWS | 3 +++
 Modules/_ssl.c | 2 ++
 3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -784,11 +784,11 @@
 @skip_if_broken_ubuntu_ssl
 def test_options(self):
 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
- # OP_ALL | OP_NO_SSLv2 is the default value
- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
+ # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
+ self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
 ctx.options)
- ctx.options |= ssl.OP_NO_SSLv3
- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
+ ctx.options |= ssl.OP_NO_TLSv1
+ self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1,
 ctx.options)
 if can_clear_options():
 ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1
@@ -2451,17 +2451,17 @@
 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
 % str(x))
 if hasattr(ssl, 'PROTOCOL_SSLv3'):
- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3')
+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
 
 if hasattr(ssl, 'PROTOCOL_SSLv3'):
- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
 
 if hasattr(ssl, 'PROTOCOL_SSLv3'):
- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
 
@@ -2493,8 +2493,8 @@
 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
 if no_sslv2_implies_sslv3_hello():
 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
- try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3',
- client_options=ssl.OP_NO_SSLv2)
+ try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,
+ False, client_options=ssl.OP_NO_SSLv2)
 
 @skip_if_broken_ubuntu_ssl
 def test_protocol_tlsv1(self):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -233,6 +233,9 @@
 - Issue #13248: Remove deprecated inspect.getargspec and inspect.getmoduleinfo
 functions.
 
+- Issue #25530: Disable the vulnerable SSLv3 protocol by default when creating
+ ssl.SSLContext.
+
 - Issue #25569: Fix memory leak in SSLSocket.getpeercert().
 
 - Issue #25471: Sockets returned from accept() shouldn't appear to be
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2276,6 +2276,8 @@
 options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 if (proto_version != PY_SSL_VERSION_SSL2)
 options |= SSL_OP_NO_SSLv2;
+ if (proto_version != PY_SSL_VERSION_SSL3)
+ options |= SSL_OP_NO_SSLv3;
 SSL_CTX_set_options(self->ctx, options);
 
 #ifndef OPENSSL_NO_ECDH
-- 
Repository URL: https://hg.python.org/cpython

More information about the Python-checkins mailing list

AltStyle によって変換されたページ (->オリジナル) /