Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for).
diff --git a/Lib/ssl.py b/Lib/ssl.py
index f3e5123..1951a62 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -81,8 +81,9 @@
}
try:
from _ssl import PROTOCOL_SSLv2
+ _SSLv2_IF_EXISTS = PROTOCOL_SSLv2
except ImportError:
- pass
+ _SSLv2_IF_EXISTS = None
else:
_PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
@@ -91,6 +92,11 @@
import base64 # for DER-to-PEM translation
import errno
+# Disable weak or insecure ciphers by default
+# (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
+_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
+
+
class SSLSocket(socket):
"""This class implements a subtype of socket.socket that wraps
@@ -112,6 +118,9 @@
except AttributeError:
pass
+ if ciphers is None and ssl_version != _SSLv2_IF_EXISTS:
+ ciphers = _DEFAULT_CIPHERS
+
if certfile and not keyfile:
keyfile = certfile
# see if it's connected