[pypy-commit] pypy default: CPython Issue #13885 (CVE-2011-3389): the _ssl module would always disable the CBC IV attack countermeasure.
amauryfa
noreply at buildbot.pypy.org
Sat Jan 28 21:08:59 CET 2012
Author: Amaury Forgeot d'Arc <amauryfa at gmail.com>
Branch:
Changeset: r51935:cf1a8868cf4e
Date: 2012-01-28 21:06 +0100
http://bitbucket.org/pypy/pypy/changeset/cf1a8868cf4e/
Log: CPython Issue #13885 (CVE-2011-3389): the _ssl module would always
disable the CBC IV attack countermeasure.
diff --git a/pypy/module/_ssl/interp_ssl.py b/pypy/module/_ssl/interp_ssl.py
--- a/pypy/module/_ssl/interp_ssl.py
+++ b/pypy/module/_ssl/interp_ssl.py
@@ -709,7 +709,8 @@
raise ssl_error(space, "SSL_CTX_use_certificate_chain_file error")
# ssl compatibility
- libssl_SSL_CTX_set_options(ss.ctx, SSL_OP_ALL)
+ libssl_SSL_CTX_set_options(ss.ctx,
+ SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
verification_mode = SSL_VERIFY_NONE
if cert_mode == PY_SSL_CERT_OPTIONAL:
diff --git a/pypy/rlib/ropenssl.py b/pypy/rlib/ropenssl.py
--- a/pypy/rlib/ropenssl.py
+++ b/pypy/rlib/ropenssl.py
@@ -66,6 +66,8 @@
OPENSSL_NO_SSL2 = rffi_platform.Defined("OPENSSL_NO_SSL2")
SSL_FILETYPE_PEM = rffi_platform.ConstantInteger("SSL_FILETYPE_PEM")
SSL_OP_ALL = rffi_platform.ConstantInteger("SSL_OP_ALL")
+ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = rffi_platform.ConstantInteger(
+ "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS")
SSL_VERIFY_NONE = rffi_platform.ConstantInteger("SSL_VERIFY_NONE")
SSL_VERIFY_PEER = rffi_platform.ConstantInteger("SSL_VERIFY_PEER")
SSL_VERIFY_FAIL_IF_NO_PEER_CERT = rffi_platform.ConstantInteger("SSL_VERIFY_FAIL_IF_NO_PEER_CERT")
More information about the pypy-commit
mailing list