commit 3b2afbbf88cb8ba93542641f06c474aab13e50e6
author Antoine Pitrou <solipsis@pitrou.net> Thu Jan 09 19:52:12 2014 +0100
committer Antoine Pitrou <solipsis@pitrou.net> Thu Jan 09 19:52:12 2014 +0100
tree e54278bb123ab05a2443413e928be76e2c9137d0
parent 27b029bd001caf66cfb8c732ccab2253f3b64a4e

Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.

Modules/_ssl.c

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index ba64555..752b033 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -273,6 +273,7 @@
     char *errstr = NULL;
     int ret;
     int verification_mode;
+    long options;
 
     self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
     if (self == NULL)
@@ -372,8 +373,10 @@
     }
 
     /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx,
-                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+    options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+    if (proto_version != PY_SSL_VERSION_SSL2)
+        options |= SSL_OP_NO_SSLv2;
+    SSL_CTX_set_options(self->ctx, options);
 
     verification_mode = SSL_VERIFY_NONE;
     if (certreq == PY_SSL_CERT_OPTIONAL)