Issue #13636: Weak ciphers are now disabled by default in the ssl module

(except when SSLv2 is explicitly asked for).
author: Antoine Pitrou <solipsis@pitrou.net> 2012-01-03 22:46:48 +0100
committer: Antoine Pitrou <solipsis@pitrou.net> 2012-01-03 22:46:48 +0100
commit: 40ddf410601c8a045b1752f34519a8fc26461e36 (patch)
tree: 0c15019a193cbd2e04d2603e0e34684781ca6692 /Lib/ssl.py
parent: 0725f7e2aea27d5d3ed972a0c508cb158edb9197 (diff)
download: cpython-40ddf410601c8a045b1752f34519a8fc26461e36.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py
index f3e5123976..1951a620d9 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -81,8 +81,9 @@ _PROTOCOL_NAMES = {
 }
 try:
     from _ssl import PROTOCOL_SSLv2
+    _SSLv2_IF_EXISTS = PROTOCOL_SSLv2
 except ImportError:
-    pass
+    _SSLv2_IF_EXISTS = None
 else:
     _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
 
@@ -91,6 +92,11 @@ from socket import getnameinfo as _getnameinfo
 import base64        # for DER-to-PEM translation
 import errno
 
+# Disable weak or insecure ciphers by default
+# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
+_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
+
+
 class SSLSocket(socket):
 
     """This class implements a subtype of socket.socket that wraps
@@ -112,6 +118,9 @@ class SSLSocket(socket):
             except AttributeError:
                 pass
 
+        if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
+            ciphers = _DEFAULT_CIPHERS
+
         if certfile and not keyfile:
             keyfile = certfile
         # see if it's connected
author	Antoine Pitrou <solipsis@pitrou.net>	2012-01-03 22:46:48 +0100
committer	Antoine Pitrou <solipsis@pitrou.net>	2012-01-03 22:46:48 +0100
commit	40ddf410601c8a045b1752f34519a8fc26461e36 (patch)
tree	0c15019a193cbd2e04d2603e0e34684781ca6692 /Lib/ssl.py
parent	0725f7e2aea27d5d3ed972a0c508cb158edb9197 (diff)
download	cpython-40ddf410601c8a045b1752f34519a8fc26461e36.tar.gz