From: Antoine Pitrou <solipsis@pitrou.net>
Date: Fri, 27 Jan 2012 08:42:45 +0000 (+0100)
Subject: Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack... 
X-Git-Tag: v2.7.3rc1~120^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d358e0554bc520768041652676ec8e6076f221a9;p=python

Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 8804d79c22..92e8197691 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+
 
 What's New in Python 2.6.7?
 ===========================
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 4619cda600..46f71e858e 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -357,7 +357,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
     }
 
     /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
 
     verification_mode = SSL_VERIFY_NONE;
     if (certreq == PY_SSL_CERT_OPTIONAL)