diff options
author | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-03 22:46:48 +0100 |
---|---|---|
committer | Antoine Pitrou <solipsis@pitrou.net> | 2012-01-03 22:46:48 +0100 |
commit | 40ddf410601c8a045b1752f34519a8fc26461e36 (patch) | |
tree | 0c15019a193cbd2e04d2603e0e34684781ca6692 /Lib/ssl.py | |
parent | 0725f7e2aea27d5d3ed972a0c508cb158edb9197 (diff) | |
download | cpython-40ddf410601c8a045b1752f34519a8fc26461e36.tar.gz |
Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
Diffstat (limited to 'Lib/ssl.py')
-rw-r--r-- | Lib/ssl.py | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py index f3e5123976..1951a620d9 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -81,8 +81,9 @@ _PROTOCOL_NAMES = { } try: from _ssl import PROTOCOL_SSLv2 + _SSLv2_IF_EXISTS = PROTOCOL_SSLv2 except ImportError: - pass + _SSLv2_IF_EXISTS = None else: _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2" @@ -91,6 +92,11 @@ from socket import getnameinfo as _getnameinfo import base64 # for DER-to-PEM translation import errno +# Disable weak or insecure ciphers by default +# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') +_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2' + + class SSLSocket(socket): """This class implements a subtype of socket.socket that wraps @@ -112,6 +118,9 @@ class SSLSocket(socket): except AttributeError: pass + if ciphers is None and ssl_version != _SSLv2_IF_EXISTS: + ciphers = _DEFAULT_CIPHERS + if certfile and not keyfile: keyfile = certfile # see if it's connected |