Issue #13636: Weak ciphers are now disabled by default in the ssl module

(except when SSLv2 is explicitly asked for).

Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
d76088d9 · Antoine Pitrou · 499718de · d76088d9 · d76088d9 · d76088d9
Commit d76088d9 authored Jan 03, 2012 by Antoine Pitrou
Show whitespace changes
Inline Side-by-side

Showing with 37 additions and 2 deletions

Lib/ssl.py Lib/ssl.py +10 -1

Lib/test/test_ssl.py Lib/test/test_ssl.py +24 -1

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -81,8 +81,9 @@ _PROTOCOL_NAMES = {
 }
 try:
    from _ssl import PROTOCOL_SSLv2
+    _SSLv2_IF_EXISTS = PROTOCOL_SSLv2
 except ImportError:
-    pass
+    _SSLv2_IF_EXISTS = None
 else:
    _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
@@ -91,6 +92,11 @@ from socket import getnameinfo as _getnameinfo
 import base64        # for DER-to-PEM translation
 import errno
+# Disable weak or insecure ciphers by default
+# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
+_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
 class SSLSocket(socket):
    """This class implements a subtype of socket.socket that wraps
@@ -112,6 +118,9 @@ class SSLSocket(socket):
            except AttributeError:
                pass
+        if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
+            ciphers = _DEFAULT_CIPHERS
        if certfile and not keyfile:
            keyfile = certfile
        # see if it's connected

--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -417,10 +417,11 @@ else:
                                                   ca_certs=self.server.cacerts,
                                                   cert_reqs=self.server.certreqs,
                                                   ciphers=self.server.ciphers)
-                except ssl.SSLError:
+                except ssl.SSLError as e:
                    # XXX Various errors can have happened here, for example
                    # a mismatching protocol version, an invalid certificate,
                    # or a low-level bug. This should be made more discriminating.
+                    self.server.conn_errors.append(e)
                    if self.server.chatty:
                        handle_error("\n server:  bad connection attempt from " +
                                     str(self.sock.getpeername()) + ":\n")
@@ -529,12 +530,14 @@ else:
                    sys.stdout.write(' server:  wrapped server socket as %s\n' % str(self.sock))
            self.port = test_support.bind_port(self.sock)
            self.active = False
+            self.conn_errors = []
            threading.Thread.__init__(self)
            self.daemon = True
        def __enter__(self):
            self.start(threading.Event())
            self.flag.wait()
+            return self
        def __exit__(self, *args):
            self.stop()
@@ -649,6 +652,7 @@ else:
        def __enter__(self):
            self.start(threading.Event())
            self.flag.wait()
+            return self
        def __exit__(self, *args):
            if test_support.verbose:
@@ -1310,6 +1314,25 @@ else:
                t.join()
                server.close()
+        def test_default_ciphers(self):
+            with ThreadedEchoServer(CERTFILE,
+                                    ssl_version=ssl.PROTOCOL_SSLv23,
+                                    chatty=False) as server:
+                sock = socket.socket()
+                try:
+                    # Force a set of weak ciphers on our client socket
+                    try:
+                        s = ssl.wrap_socket(sock,
+                                            ssl_version=ssl.PROTOCOL_SSLv23,
+                                            ciphers="DES")
+                    except ssl.SSLError:
+                        self.skipTest("no DES cipher available")
+                    with self.assertRaises((OSError, ssl.SSLError)):
+                        s.connect((HOST, server.port))
+                finally:
+                    sock.close()
+            self.assertIn("no shared cipher", str(server.conn_errors[0]))
 def test_main(verbose=False):
    global CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, NOKIACERT

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -89,6 +89,9 @@ Core and Builtins
 Library
 -------
+- Issue #13636: Weak ciphers are now disabled by default in the ssl module
+  (except when SSLv2 is explicitly asked for).
 - Issue #12798: Updated the mimetypes documentation.
 - Issue #13639: Accept unicode filenames in tarfile.open(mode="w|gz").