From: Antoine Pitrou <solipsis@pitrou.net>
Date: Thu, 9 Jan 2014 18:52:12 +0000 (+0100)
Subject: Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked... 
X-Git-Tag: v2.7.8~141
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3b2afbbf88cb8ba93542641f06c474aab13e50e6;p=python

Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
---

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index c1c338449a..426e261382 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1052,7 +1052,7 @@ else:
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
-            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
+            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 91278d9bcf..3d077041fb 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -35,6 +35,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
+  asked for.
+
 - Issue #20072: Fixed multiple errors in tkinter with wantobjects is False.
 
 - Issue #1065986: pydoc can now handle unicode strings.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index ba64555799..752b033e75 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -273,6 +273,7 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
     char *errstr = NULL;
     int ret;
     int verification_mode;
+    long options;
 
     self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
     if (self == NULL)
@@ -372,8 +373,10 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
     }
 
     /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx,
-                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+    options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+    if (proto_version != PY_SSL_VERSION_SSL2)
+        options |= SSL_OP_NO_SSLv2;
+    SSL_CTX_set_options(self->ctx, options);
 
     verification_mode = SSL_VERIFY_NONE;
     if (certreq == PY_SSL_CERT_OPTIONAL)