Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
diff --git a/Lib/ssl.py b/Lib/ssl.py
index ce9ebdf..8137231 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -86,8 +86,9 @@
}
try:
from _ssl import PROTOCOL_SSLv2
+ _SSLv2_IF_EXISTS = PROTOCOL_SSLv2
except ImportError:
- pass
+ _SSLv2_IF_EXISTS = None
else:
_PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
@@ -98,6 +99,10 @@
import traceback
import errno
+# Disable weak or insecure ciphers by default
+# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
+_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
+
class CertificateError(ValueError):
pass
@@ -165,7 +170,10 @@
__slots__ = ('protocol',)
def __new__(cls, protocol, *args, **kwargs):
- return _SSLContext.__new__(cls, protocol)
+ self = _SSLContext.__new__(cls, protocol)
+ if protocol != _SSLv2_IF_EXISTS:
+ self.set_ciphers(_DEFAULT_CIPHERS)
+ return self
def __init__(self, protocol):
self.protocol = protocol