From: Christian Heimes <christian@cheimes.de>
Date: Thu, 28 Nov 2013 07:06:54 +0000 (+0100)
Subject: ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME
X-Git-Tag: v3.4.0b2~446
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dec813f118f7abffa24a9a0431dea125a6096518;p=thirdparty%2FPython%2Fcpython.git

ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME
---

diff --git a/Lib/ssl.py b/Lib/ssl.py
index 72e6a6e6d4ca..b29b90582ed2 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -383,6 +383,8 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
     context = SSLContext(PROTOCOL_TLSv1)
     # SSLv2 considered harmful.
     context.options |= OP_NO_SSLv2
+    # disable compression to prevent CRIME attacks (OpenSSL 1.0+)
+    context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0)
     # disallow ciphers with known vulnerabilities
     context.set_ciphers(_RESTRICTED_CIPHERS)
     # verify certs in client mode
diff --git a/Misc/NEWS b/Misc/NEWS
index 3c82e1ab218e..6411640cc17b 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,8 @@ Core and Builtins
 Library
 -------
 
+- ssl.create_default_context() sets OP_NO_COMPRESSION to prevent CRIME.
+
 - Issue #19802: Add socket.SO_PRIORITY.
 
 - Issue #11508: Fixed uuid.getnode() and uuid.uuid1() on environment with