Author: Amaury Forgeot d'Arc <[email protected]>
Branch: py3.6
Changeset: r94416:fc92860d2c30
Date: 2018-04-22 21:11 +0200
http://bitbucket.org/pypy/pypy/changeset/fc92860d2c30/
Log: Apply the rest of CPython Issue 28043. This part is not well
tested...
diff --git a/lib_pypy/_cffi_ssl/_stdssl/__init__.py
b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
--- a/lib_pypy/_cffi_ssl/_stdssl/__init__.py
+++ b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
@@ -833,13 +833,24 @@
options |= lib.SSL_OP_NO_SSLv3
# Minimal security flags for server and client side context.
# Client sockets ignore server-side parameters.
- options |= lib.SSL_OP_NO_COMPRESSION;
- options |= lib.SSL_OP_CIPHER_SERVER_PREFERENCE;
- options |= lib.SSL_OP_SINGLE_DH_USE;
- options |= lib.SSL_OP_SINGLE_ECDH_USE;
+ options |= lib.SSL_OP_NO_COMPRESSION
+ options |= lib.SSL_OP_CIPHER_SERVER_PREFERENCE
+ options |= lib.SSL_OP_SINGLE_DH_USE
+ options |= lib.SSL_OP_SINGLE_ECDH_USE
lib.SSL_CTX_set_options(self.ctx, options)
lib.SSL_CTX_set_session_id_context(self.ctx, b"Python", len(b"Python"))
+ # A bare minimum cipher list without completely broken cipher suites.
+ # It's far from perfect but gives users a better head start.
+ if lib.Cryptography_HAS_SSL2 and protocol == PROTOCOL_SSLv2:
+ # SSLv2 needs MD5
+ default_ciphers = b"HIGH:!aNULL:!eNULL"
+ else:
+ default_ciphers = b"HIGH:!aNULL:!eNULL:!MD5"
+ if not lib.SSL_CTX_set_cipher_list(ctx, default_ciphers):
+ lib.ERR_clear_error()
+ raise SSLError("No cipher can be selected.")
+
if HAS_ECDH:
# Allow automatic ECDH curve selection (on
# OpenSSL 1.0.2+), or use prime256v1 by default.
_______________________________________________
pypy-commit mailing list
[email protected]
https://mail.python.org/mailman/listinfo/pypy-commit
