Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 8f85f907e3d72b192b9b073e5505075635720282^! / . / Lib / ssl.py
commit8f85f907e3d72b192b9b073e5505075635720282[log] [tgz]
authorAntoine Pitrou <solipsis@pitrou.net>Tue Jan 03 22:46:48 2012 +0100
committerAntoine Pitrou <solipsis@pitrou.net>Tue Jan 03 22:46:48 2012 +0100
tree75c1586c7d58bddb55765f3cc9ac757bb20fd8ba
parentea320abcae63cadfbc5f57122822acff2bc27dd5 [diff] [blame]
Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).

diff --git a/Lib/ssl.py b/Lib/ssl.py
index ce9ebdf..8137231 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py

@@ -86,8 +86,9 @@
 }
 try:
     from _ssl import PROTOCOL_SSLv2
+    _SSLv2_IF_EXISTS = PROTOCOL_SSLv2
 except ImportError:
-    pass
+    _SSLv2_IF_EXISTS = None
 else:
     _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
 
@@ -98,6 +99,10 @@
 import traceback
 import errno
 
+# Disable weak or insecure ciphers by default
+# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
+_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
+
 
 class CertificateError(ValueError):
     pass
@@ -165,7 +170,10 @@
     __slots__ = ('protocol',)
 
     def __new__(cls, protocol, *args, **kwargs):
-        return _SSLContext.__new__(cls, protocol)
+        self = _SSLContext.__new__(cls, protocol)
+        if protocol != _SSLv2_IF_EXISTS:
+            self.set_ciphers(_DEFAULT_CIPHERS)
+        return self
 
     def __init__(self, protocol):
         self.protocol = protocol