ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME

author Christian Heimes <christian@cheimes.de>

Thu, 28 Nov 2013 07:06:54 +0000 (08:06 +0100)

committer Christian Heimes <christian@cheimes.de>

Thu, 28 Nov 2013 07:06:54 +0000 (08:06 +0100)
author Christian Heimes <christian@cheimes.de>
Thu, 28 Nov 2013 07:06:54 +0000 (08:06 +0100)
committer Christian Heimes <christian@cheimes.de>
Thu, 28 Nov 2013 07:06:54 +0000 (08:06 +0100)
diff --git a/Lib/ssl.py b/Lib/ssl.py

index 72e6a6e6d4ca65b40f594435e206b133a17d525c..b29b90582ed2103c6c08bf5674c3d6fd7938499c 100644 (file)
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -383,6 +383,8 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
      context = SSLContext(PROTOCOL_TLSv1)
      # SSLv2 considered harmful.
      context.options |= OP_NO_SSLv2
+    # disable compression to prevent CRIME attacks (OpenSSL 1.0+)
+    context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0)
      # disallow ciphers with known vulnerabilities
      context.set_ciphers(_RESTRICTED_CIPHERS)
      # verify certs in client mode
diff --git a/Misc/NEWS b/Misc/NEWS

index 3c82e1ab218efbccfef7bac8dfea2e123080f853..6411640cc17b7a04c1df13561601463ffad09650 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,8 @@ Core and Builtins
  Library
  -------
  
+- ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME.
+
  - Issue #19802: Add socket.SO_PRIORITY.
  
  - Issue #11508: Fixed uuid.getnode() and uuid.uuid1() on environment with
author	Christian Heimes <christian@cheimes.de>
	Thu, 28 Nov 2013 07:06:54 +0000 (08:06 +0100)
committer	Christian Heimes <christian@cheimes.de>
	Thu, 28 Nov 2013 07:06:54 +0000 (08:06 +0100)
Lib/ssl.py		patch \| blob \| history
Misc/NEWS		patch \| blob \| history