ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME

ac7d26b6 · Christian Heimes · 7fbb096d · ac7d26b6 · ac7d26b6
Commit ac7d26b6 authored Nov 28, 2013 by Christian Heimes
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

Lib/ssl.py Lib/ssl.py +2 -0

Misc/NEWS Misc/NEWS +2 -0

No files found.
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -383,6 +383,8 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
    context = SSLContext(PROTOCOL_TLSv1)
    # SSLv2 considered harmful.
    context.options |= OP_NO_SSLv2
+    # disable compression to prevent CRIME attacks (OpenSSL 1.0+)
+    context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0)
    # disallow ciphers with known vulnerabilities
    context.set_ciphers(_RESTRICTED_CIPHERS)
    # verify certs in client mode

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,8 @@ Core and Builtins
 Library
 -------

+- ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME.
+
 - Issue #19802: Add socket.SO_PRIORITY.

 - Issue #11508: Fixed uuid.getnode() and uuid.uuid1() on environment with