commit cd3d7cabef64267da43519a832a7429c1a8a15f9
author Antoine Pitrou <solipsis@pitrou.net> Thu Jan 09 20:02:20 2014 +0100
committer Antoine Pitrou <solipsis@pitrou.net> Thu Jan 09 20:02:20 2014 +0100
tree ad0670eb2de57b4fd18993de461b60dd7e2908ac
parent 1064a13bb05db8f6e86a3fe780f969fa2919a1d1

Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.

Modules/_ssl.c

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 4b02d8d..8789d00 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1737,6 +1737,7 @@
     char *kwlist[] = {"protocol", NULL};
     PySSLContext *self;
     int proto_version = PY_SSL_VERSION_SSL23;
+    long options;
     SSL_CTX *ctx = NULL;
 
     if (!PyArg_ParseTupleAndKeywords(
@@ -1782,8 +1783,10 @@
 #endif
     /* Defaults */
     SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
-    SSL_CTX_set_options(self->ctx,
-                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+    options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+    if (proto_version != PY_SSL_VERSION_SSL2)
+        options |= SSL_OP_NO_SSLv2;
+    SSL_CTX_set_options(self->ctx, options);
 
 #define SID_CTX "Python"
     SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,