always set OP_NO_SSLv3 by default (closes #25530)

author Benjamin Peterson <benjamin@python.org>

Thu, 12 Nov 2015 06:38:41 +0000 (22:38 -0800)

committer Benjamin Peterson <benjamin@python.org>

Thu, 12 Nov 2015 06:38:41 +0000 (22:38 -0800)
author Benjamin Peterson <benjamin@python.org>
Thu, 12 Nov 2015 06:38:41 +0000 (22:38 -0800)
committer Benjamin Peterson <benjamin@python.org>
Thu, 12 Nov 2015 06:38:41 +0000 (22:38 -0800)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

index e58f55ac4c0c5d9f08f829ec802f2f0aa7914fb2..27572c392fe9d41aa23736f7ceb4d6031634201e 100644 (file)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -714,12 +714,12 @@ class ContextTests(unittest.TestCase):
      @skip_if_broken_ubuntu_ssl
      def test_options(self):
          ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-        # OP_ALL | OP_NO_SSLv2 is the default value
-        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
-                         ctx.options)
-        ctx.options |= ssl.OP_NO_SSLv3
+        # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
          self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
                           ctx.options)
+        ctx.options |= ssl.OP_NO_TLSv1
+        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1,
+                         ctx.options)
          if can_clear_options():
              ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1
              self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3,
@@ -2230,17 +2230,17 @@ else:
                              " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
                              % str(x))
              if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3')
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
  
              if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
  
              if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
  
@@ -2272,8 +2272,8 @@ else:
              try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
              if no_sslv2_implies_sslv3_hello():
                  # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
-                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3',
-                                   client_options=ssl.OP_NO_SSLv2)
+                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,
+                                   False, client_options=ssl.OP_NO_SSLv2)
  
          @skip_if_broken_ubuntu_ssl
          def test_protocol_tlsv1(self):
diff --git a/Misc/NEWS b/Misc/NEWS

index 2869f80db1c9ce1a71adb6448ab169a7081a226f..03aac95da48df1855bc4e37f56c51a250dc15a37 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -49,6 +49,9 @@ Core and Builtins
  Library
  -------
  
+- Issue #25530: Disable the vulnerable SSLv3 protocol by default when creating
+  ssl.SSLContext.
+
  - Issue #25569: Fix memory leak in SSLSocket.getpeercert().
  
  - Issue #7759: Fixed the mhlib module on filesystems that doesn't support
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index a327ae289c766bd8d0d2e4b764fa93419c9e0d5b..398a43aaf876be9ab74f6f07efb3a686ef502b19 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2046,6 +2046,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
      options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
      if (proto_version != PY_SSL_VERSION_SSL2)
          options |= SSL_OP_NO_SSLv2;
+    if (proto_version != PY_SSL_VERSION_SSL3)
+        options |= SSL_OP_NO_SSLv3;
      SSL_CTX_set_options(self->ctx, options);
  
  #ifndef OPENSSL_NO_ECDH
author	Benjamin Peterson <benjamin@python.org>
	Thu, 12 Nov 2015 06:38:41 +0000 (22:38 -0800)
committer	Benjamin Peterson <benjamin@python.org>
	Thu, 12 Nov 2015 06:38:41 +0000 (22:38 -0800)
Lib/test/test_ssl.py		patch \| blob \| history
Misc/NEWS		patch \| blob \| history
Modules/_ssl.c		patch \| blob \| history