Issue #13636: Weak ciphers are now disabled by default in the ssl module

(except when SSLv2 is explicitly asked for).
2025-08-31 05:58:33 +00:00 · 2012-01-03 22:46:48 +01:00 · 2012-01-03 22:46:48 +01:00 · 8f85f907e3
commit 8f85f907e3
parent ea320abcae
3 changed files with 34 additions and 3 deletions
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@ -762,10 +762,11 @@ else:
                try:
                    self.sslconn = self.server.context.wrap_socket(
                        self.sock, server_side=True)
-                except ssl.SSLError:
+                except ssl.SSLError as e:
                    # XXX Various errors can have happened here, for example
                    # a mismatching protocol version, an invalid certificate,
                    # or a low-level bug. This should be made more discriminating.
+                    self.server.conn_errors.append(e)
                    if self.server.chatty:
                        handle_error("\n server:  bad connection attempt from " + repr(self.addr) + ":\n")
                    self.running = False
@ -878,12 +879,14 @@ else:
            self.port = support.bind_port(self.sock)
            self.flag = None
            self.active = False
+            self.conn_errors = []
            threading.Thread.__init__(self)
            self.daemon = True

        def __enter__(self):
            self.start(threading.Event())
            self.flag.wait()
+            return self

        def __exit__(self, *args):
            self.stop()
@ -1004,6 +1007,7 @@ else:
        def __enter__(self):
            self.start(threading.Event())
            self.flag.wait()
+            return self

        def __exit__(self, *args):
            if support.verbose:
@ -1604,6 +1608,22 @@ else:
                t.join()
                server.close()

+        def test_default_ciphers(self):
+            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            try:
+                # Force a set of weak ciphers on our client context
+                context.set_ciphers("DES")
+            except ssl.SSLError:
+                self.skipTest("no DES cipher available")
+            with ThreadedEchoServer(CERTFILE,
+                                    ssl_version=ssl.PROTOCOL_SSLv23,
+                                    chatty=False) as server:
+                with socket.socket() as sock:
+                    s = context.wrap_socket(sock)
+                    with self.assertRaises((OSError, ssl.SSLError)):
+                        s.connect((HOST, server.port))
+            self.assertIn("no shared cipher", str(server.conn_errors[0]))
+

 def test_main(verbose=False):
    if support.verbose: