Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index c1c3384..426e261 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1052,7 +1052,7 @@
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
- try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
+ try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
diff --git a/Misc/NEWS b/Misc/NEWS
index 91278d9..3d07704 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -35,6 +35,9 @@
Library
-------
+- Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
+ asked for.
+
- Issue #20072: Fixed multiple errors in tkinter with wantobjects is False.
- Issue #1065986: pydoc can now handle unicode strings.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index ba64555..752b033 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -273,6 +273,7 @@
char *errstr = NULL;
int ret;
int verification_mode;
+ long options;
self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
if (self == NULL)
@@ -372,8 +373,10 @@
}
/* ssl compatibility */
- SSL_CTX_set_options(self->ctx,
- SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ if (proto_version != PY_SSL_VERSION_SSL2)
+ options |= SSL_OP_NO_SSLv2;
+ SSL_CTX_set_options(self->ctx, options);
verification_mode = SSL_VERIFY_NONE;
if (certreq == PY_SSL_CERT_OPTIONAL)