mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 00:48:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Issue #13636: Weak ciphers are now disabled by default in the ssl module

Browse source 
(except when SSLv2 is explicitly asked for).
This commit is contained in:
Antoine Pitrou 2012-01-03 22:49:08 +01:00
commit 72aeec35a1
3 changed files with 35 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
Lib/ssl.py
View file

@ -98,8 +98,9 @@ _PROTOCOL_NAMES = {
}
try:
from _ssl import PROTOCOL_SSLv2
_SSLv2_IF_EXISTS = PROTOCOL_SSLv2
except ImportError:
pass
_SSLv2_IF_EXISTS = None
else:
_PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
@ -115,6 +116,11 @@ if _ssl.HAS_TLS_UNIQUE:
else:
CHANNEL_BINDING_TYPES = []
# Disable weak or insecure ciphers by default
# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
class CertificateError(ValueError):
pass
@ -181,7 +187,10 @@ class SSLContext(_SSLContext):
__slots__ = ('protocol',)
def __new__(cls, protocol, *args, **kwargs):
return _SSLContext.__new__(cls, protocol)
self = _SSLContext.__new__(cls, protocol)
if protocol != _SSLv2_IF_EXISTS:
self.set_ciphers(_DEFAULT_CIPHERS)
return self
def __init__(self, protocol):
self.protocol = protocol