Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.

commit: f2bf8a6ac51530e14d798a03c8e950dd934d85cd [log] [tgz]
author: Antoine Pitrou <solipsis@pitrou.net> Fri Jan 27 09:48:47 2012 +0100
committer: Antoine Pitrou <solipsis@pitrou.net> Fri Jan 27 09:48:47 2012 +0100
tree: 3a1cc25e0096d15d7158f43ceb0a8b786b04b17b
parent: 889bb2969d00a548279c7e4dd237c23b100548e2 [diff]
diff --git a/Misc/NEWS b/Misc/NEWS
index b14e169..b70b097 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS

@@ -13,6 +13,9 @@
 Library
 -------
 
+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+
 - Issue #11603: Fix a crash when __str__ is rebound as __repr__.  Patch by
   Andreas Stührk.
 

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 8ebdc9b..16fbb4d 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c

@@ -365,7 +365,8 @@
     }
 
     /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
 
     verification_mode = SSL_VERIFY_NONE;
     if (certreq == PY_SSL_CERT_OPTIONAL)
commit	f2bf8a6ac51530e14d798a03c8e950dd934d85cd	[log] [tgz]
author	Antoine Pitrou <solipsis@pitrou.net>	Fri Jan 27 09:48:47 2012 +0100
committer	Antoine Pitrou <solipsis@pitrou.net>	Fri Jan 27 09:48:47 2012 +0100
tree	3a1cc25e0096d15d7158f43ceb0a8b786b04b17b
parent	889bb2969d00a548279c7e4dd237c23b100548e2 [diff]