mirror of
https://github.com/python/cpython.git
synced 2025-08-15 22:30:42 +00:00
Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
This commit is contained in:
Antoine Pitrou
parent
499718de49
commit
d76088d972
3 changed files with 37 additions and 2 deletions
11
Lib/ssl.py
11
Lib/ssl.py
|
|
@ -81,8 +81,9 @@ _PROTOCOL_NAMES = {
|
|||
}
|
||||
try:
|
||||
from _ssl import PROTOCOL_SSLv2
|
||||
_SSLv2_IF_EXISTS = PROTOCOL_SSLv2
|
||||
except ImportError:
|
||||
pass
|
||||
_SSLv2_IF_EXISTS = None
|
||||
else:
|
||||
_PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
|
||||
|
||||
|
|
@ -91,6 +92,11 @@ from socket import getnameinfo as _getnameinfo
|
|||
import base64 # for DER-to-PEM translation
|
||||
import errno
|
||||
|
||||
# Disable weak or insecure ciphers by default
|
||||
# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
|
||||
_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
|
||||
|
||||
|
||||
class SSLSocket(socket):
|
||||
|
||||
"""This class implements a subtype of socket.socket that wraps
|
||||
|
|
@ -112,6 +118,9 @@ class SSLSocket(socket):
|
|||
except AttributeError:
|
||||
pass
|
||||
|
||||
if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
|
||||
ciphers = _DEFAULT_CIPHERS
|
||||
|
||||
if certfile and not keyfile:
|
||||
keyfile = certfile
|
||||
# see if it's connected
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue