diff -r 725131a5f6cf Lib/test/test_ssl.py --- a/Lib/test/test_ssl.py Sat Jul 04 22:52:33 2015 -0500 +++ b/Lib/test/test_ssl.py Sun Jul 05 21:21:32 2015 +1000 @@ -115,6 +115,11 @@ else: return func +# Issue #23965: Handle legacy SSL peers being disallowed by default +_DEFAULT_OPENSSL_OPTIONS = ssl.SSLContext(ssl.PROTOCOL_TLSv1).options +SSLv2_PEERS_DISALLOWED = _DEFAULT_OPENSSL_OPTIONS & ssl.OP_NO_SSLv2 +SSLv3_PEERS_DISALLOWED = _DEFAULT_OPENSSL_OPTIONS & ssl.OP_NO_SSLv3 + needs_sni = unittest.skipUnless(ssl.HAS_SNI, "SNI support needed for this test") @@ -674,18 +679,25 @@ @skip_if_broken_ubuntu_ssl def test_options(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # OP_ALL | OP_NO_SSLv2 is the default value - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, - ctx.options) - ctx.options |= ssl.OP_NO_SSLv3 - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, - ctx.options) + # OP_ALL is the default, potentially with legacy SSL peers disallowed + expected_options = ssl.OP_ALL + if SSLv2_PEERS_DISALLOWED: + expected_options |= ssl.OP_NO_SSLv2 + if SSLv3_PEERS_DISALLOWED: + expected_options |= ssl.OP_NO_SSLv3 + self.assertEqual(bin(ctx.options), bin(expected_options)) + expected_options |= ssl.OP_NO_COMPRESSION + ctx.options |= ssl.OP_NO_COMPRESSION + self.assertEqual(bin(ctx.options), bin(expected_options)) if can_clear_options(): - ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1 - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3, - ctx.options) + expected_options = (ssl.OP_ALL | + ssl.OP_NO_TLSv1 | + ssl.OP_NO_COMPRESSION) + ctx.options &= ~ssl.OP_NO_SSLv2 & ~ssl.OP_NO_SSLv3 + ctx.options |= ssl.OP_NO_TLSv1 + self.assertEqual(bin(ctx.options), bin(expected_options)) ctx.options = 0 - self.assertEqual(0, ctx.options) + self.assertEqual(ctx.options, 0) else: with self.assertRaises(ValueError): ctx.options = 0 @@ -2171,18 +2183,19 @@ sys.stdout.write( " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" % str(x)) + v3_ok = not SSLv3_PEERS_DISALLOWED if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, v3_ok) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True) if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, v3_ok, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL) if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, v3_ok, ssl.CERT_REQUIRED) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED) @@ -2212,7 +2225,7 @@ try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False, client_options=ssl.OP_NO_SSLv3) try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) - if no_sslv2_implies_sslv3_hello(): + if not SSLv3_PEERS_DISALLOWED and no_sslv2_implies_sslv3_hello(): # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True, client_options=ssl.OP_NO_SSLv2)