commit 3f366314e831e0babca220abd734f8ae02776925
author Antoine Pitrou <solipsis@pitrou.net> Fri Jan 27 09:50:45 2012 +0100
committer Antoine Pitrou <solipsis@pitrou.net> Fri Jan 27 09:50:45 2012 +0100
tree 1840944ff83b8298a2e52567c97102ea65ff3397
parent 722db7bdba74c3c82ecd8b2d44daf1e2508b6734
parent f2bf8a6ac51530e14d798a03c8e950dd934d85cd

Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.

Misc/NEWS

diff --git a/Misc/NEWS b/Misc/NEWS
index 5a52b9f..8a85fe4 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -111,6 +111,9 @@
 Library
 -------
 
+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+
 - Issue #13772: In os.symlink() under Windows, do not try to guess the link
   target's type (file or directory).  The detection was buggy and made the
   call non-atomic (therefore prone to race conditions).

Modules/_ssl.c

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 5419059..751e26e 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1481,7 +1481,8 @@
     self->ctx = ctx;
     /* Defaults */
     SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
 
 #define SID_CTX "Python"
     SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
@@ -2143,7 +2144,8 @@
                             PY_SSL_VERSION_TLS1);
 
     /* protocol options */
-    PyModule_AddIntConstant(m, "OP_ALL", SSL_OP_ALL);
+    PyModule_AddIntConstant(m, "OP_ALL",
+                            SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
     PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
     PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
     PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);