Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.

374b4ea9 · Antoine Pitrou · 64b2b6a8 · d358e055 · 374b4ea9 · 374b4ea9
Kaydet (Commit) 374b4ea9 authored Ock 27, 2012 tarafından Antoine Pitrou
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

NEWS Misc/NEWS +3 -0

_ssl.c Modules/_ssl.c +2 -1

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -90,6 +90,9 @@ Core and Builtins
 Library
 -------

+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+
 - Issue #6631: Disallow relative file paths in urllib urlopen methods.

 - Issue #13781: Prevent gzip.GzipFile from using the dummy filename provided by

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -369,7 +369,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
    }

    /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

    verification_mode = SSL_VERIFY_NONE;
    if (certreq == PY_SSL_CERT_OPTIONAL)