Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack...

author Antoine Pitrou <solipsis@pitrou.net>

Fri, 27 Jan 2012 08:42:45 +0000 (09:42 +0100)

committer Antoine Pitrou <solipsis@pitrou.net>

Fri, 27 Jan 2012 08:42:45 +0000 (09:42 +0100)
author Antoine Pitrou <solipsis@pitrou.net>
Fri, 27 Jan 2012 08:42:45 +0000 (09:42 +0100)
committer Antoine Pitrou <solipsis@pitrou.net>
Fri, 27 Jan 2012 08:42:45 +0000 (09:42 +0100)
diff --git a/Misc/NEWS b/Misc/NEWS

index 8804d79c22135e056f5ca022b06b745fb0248a94..92e8197691da3ea75b932d3f4e7b73eceb2f93ea 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
  Library
  -------
  
+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+
  
  What's New in Python 2.6.7?
  ===========================
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index 4619cda60034fdc2b18316de728ea19781cae585..46f71e858e2696c22d3547a9286cb3e4cc1037eb 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -357,7 +357,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
      }
  
      /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
  
      verification_mode = SSL_VERIFY_NONE;
      if (certreq == PY_SSL_CERT_OPTIONAL)
author	Antoine Pitrou <solipsis@pitrou.net>
	Fri, 27 Jan 2012 08:42:45 +0000 (09:42 +0100)
committer	Antoine Pitrou <solipsis@pitrou.net>
	Fri, 27 Jan 2012 08:42:45 +0000 (09:42 +0100)
Misc/NEWS		patch \| blob \| history
Modules/_ssl.c		patch \| blob \| history