Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.

d358e055 · Antoine Pitrou · 141e770e · d358e055 · d358e055
Commit d358e055 authored Jan 27, 2012 by Antoine Pitrou
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

Misc/NEWS Misc/NEWS +3 -0

Modules/_ssl.c Modules/_ssl.c +2 -1

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------

+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+

 What's New in Python 2.6.7?
 ===========================

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -357,7 +357,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
    }

    /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

    verification_mode = SSL_VERIFY_NONE;
    if (certreq == PY_SSL_CERT_OPTIONAL)