Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack...

author Antoine Pitrou <solipsis@pitrou.net>

Fri, 27 Jan 2012 08:48:47 +0000 (09:48 +0100)

committer Antoine Pitrou <solipsis@pitrou.net>

Fri, 27 Jan 2012 08:48:47 +0000 (09:48 +0100)
author Antoine Pitrou <solipsis@pitrou.net>
Fri, 27 Jan 2012 08:48:47 +0000 (09:48 +0100)
committer Antoine Pitrou <solipsis@pitrou.net>
Fri, 27 Jan 2012 08:48:47 +0000 (09:48 +0100)
diff --git a/Misc/NEWS b/Misc/NEWS

index b14e169a883429e185a1b86d08a94c1e9bfa7cfb..b70b097cb7549516ba047e4bf3e6e797e2eafe28 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
  Library
  -------
  
+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+
  - Issue #11603: Fix a crash when __str__ is rebound as __repr__.  Patch by
    Andreas Stührk.
  
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index 8ebdc9b99db2f98a1a6ea346b47a5001ca3c5307..16fbb4db42ecaca7c0bc7a1ac74b9055ac580aad 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -365,7 +365,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
      }
  
      /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
  
      verification_mode = SSL_VERIFY_NONE;
      if (certreq == PY_SSL_CERT_OPTIONAL)
author	Antoine Pitrou <solipsis@pitrou.net>
	Fri, 27 Jan 2012 08:48:47 +0000 (09:48 +0100)
committer	Antoine Pitrou <solipsis@pitrou.net>
	Fri, 27 Jan 2012 08:48:47 +0000 (09:48 +0100)
Misc/NEWS		patch \| blob \| history
Modules/_ssl.c		patch \| blob \| history