|
1 This patch comes from in-house. It has not yet been submitted upstream, |
|
2 but submission is planned. |
|
3 |
|
4 --- Python-2.7.9/Modules/_ssl.c.~1~ 2014-12-10 07:59:53.000000000 -0800 |
|
5 +++ Python-2.7.9/Modules/_ssl.c 2015-01-08 12:46:53.321182041 -0800 |
|
6 @@ -2042,6 +2042,8 @@ |
|
7 options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
|
8 if (proto_version != PY_SSL_VERSION_SSL2) |
|
9 options |= SSL_OP_NO_SSLv2; |
|
10 + if (proto_version != PY_SSL_VERSION_SSL3) |
|
11 + options |= SSL_OP_NO_SSLv3; |
|
12 SSL_CTX_set_options(self->ctx, options); |
|
13 |
|
14 #ifndef OPENSSL_NO_ECDH |
|
15 --- Python-2.7.9/Lib/test/test_ssl.py.~1~ 2014-12-10 07:59:47.000000000 -0800 |
|
16 +++ Python-2.7.9/Lib/test/test_ssl.py 2015-01-08 17:41:04.734623805 -0800 |
|
17 @@ -713,10 +713,7 @@ |
|
18 @skip_if_broken_ubuntu_ssl |
|
19 def test_options(self): |
|
20 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) |
|
21 - # OP_ALL | OP_NO_SSLv2 is the default value |
|
22 - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, |
|
23 - ctx.options) |
|
24 - ctx.options |= ssl.OP_NO_SSLv3 |
|
25 + # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value |
|
26 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, |
|
27 ctx.options) |
|
28 if can_clear_options(): |
|
29 @@ -2212,7 +2209,7 @@ |
|
30 sys.stdout.write("\n") |
|
31 if hasattr(ssl, 'PROTOCOL_SSLv2'): |
|
32 try: |
|
33 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True) |
|
34 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, False) |
|
35 except socket.error as x: |
|
36 # this fails on some older versions of OpenSSL (0.9.7l, for instance) |
|
37 if support.verbose: |
|
38 @@ -2220,17 +2217,17 @@ |
|
39 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" |
|
40 % str(x)) |
|
41 if hasattr(ssl, 'PROTOCOL_SSLv3'): |
|
42 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3') |
|
43 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False) |
|
44 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) |
|
45 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') |
|
46 |
|
47 if hasattr(ssl, 'PROTOCOL_SSLv3'): |
|
48 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL) |
|
49 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL) |
|
50 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) |
|
51 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL) |
|
52 |
|
53 if hasattr(ssl, 'PROTOCOL_SSLv3'): |
|
54 - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED) |
|
55 + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED) |
|
56 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) |
|
57 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED) |
|
58 |
|
59 @@ -2262,7 +2259,8 @@ |
|
60 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) |
|
61 if no_sslv2_implies_sslv3_hello(): |
|
62 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs |
|
63 - try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3', |
|
64 + # until we disabled SSLv3 for Poodle |
|
65 + try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False, |
|
66 client_options=ssl.OP_NO_SSLv2) |
|
67 |
|
68 @skip_if_broken_ubuntu_ssl |