Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
diff --git a/Misc/NEWS b/Misc/NEWS
index b14e169..b70b097 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@
Library
-------
+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+ IV attack countermeasure.
+
- Issue #11603: Fix a crash when __str__ is rebound as __repr__. Patch by
Andreas Stührk.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 8ebdc9b..16fbb4d 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -365,7 +365,8 @@
}
/* ssl compatibility */
- SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+ SSL_CTX_set_options(self->ctx,
+ SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
verification_mode = SSL_VERIFY_NONE;
if (certreq == PY_SSL_CERT_OPTIONAL)