diff -r 0eb8c182131e Lib/test/test_ssl.py --- a/Lib/test/test_ssl.py Wed Sep 02 19:16:07 2015 +0200 +++ b/Lib/test/test_ssl.py Wed Sep 02 23:00:27 2015 +0200 @@ -121,6 +121,11 @@ def skip_if_broken_ubuntu_ssl(func): else: return func +# Issue #23965: Handle legacy SSL peers being disallowed by default +_DEFAULT_OPENSSL_OPTIONS = ssl.SSLContext(ssl.PROTOCOL_TLSv1).options +SSLv2_PEERS_DISALLOWED = _DEFAULT_OPENSSL_OPTIONS & ssl.OP_NO_SSLv2 +SSLv3_PEERS_DISALLOWED = _DEFAULT_OPENSSL_OPTIONS & ssl.OP_NO_SSLv3 + needs_sni = unittest.skipUnless(ssl.HAS_SNI, "SNI support needed for this test") @@ -784,18 +789,25 @@ class ContextTests(unittest.TestCase): @skip_if_broken_ubuntu_ssl def test_options(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # OP_ALL | OP_NO_SSLv2 is the default value - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, - ctx.options) - ctx.options |= ssl.OP_NO_SSLv3 - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, - ctx.options) + # OP_ALL is the default, potentially with legacy SSL peers disallowed + expected_options = ssl.OP_ALL + if SSLv2_PEERS_DISALLOWED: + expected_options |= ssl.OP_NO_SSLv2 + if SSLv3_PEERS_DISALLOWED: + expected_options |= ssl.OP_NO_SSLv3 + self.assertEqual(bin(ctx.options), bin(expected_options)) + expected_options |= ssl.OP_NO_COMPRESSION + ctx.options |= ssl.OP_NO_COMPRESSION + self.assertEqual(bin(ctx.options), bin(expected_options)) if can_clear_options(): - ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1 - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3, - ctx.options) + expected_options = (ssl.OP_ALL | + ssl.OP_NO_TLSv1 | + ssl.OP_NO_COMPRESSION) + ctx.options &= ~ssl.OP_NO_SSLv2 & ~ssl.OP_NO_SSLv3 + ctx.options |= ssl.OP_NO_TLSv1 + self.assertEqual(bin(ctx.options), bin(expected_options)) ctx.options = 0 - self.assertEqual(0, ctx.options) + self.assertEqual(ctx.options, 0) else: with self.assertRaises(ValueError): ctx.options = 0 @@ -2450,18 +2462,19 @@ else: sys.stdout.write( " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" % str(x)) + v3_ok = 'SSLv3' if not SSLv3_PEERS_DISALLOWED else False if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3') + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, v3_ok) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, v3_ok, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL) if hasattr(ssl, 'PROTOCOL_SSLv3'): - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED) + try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, v3_ok, ssl.CERT_REQUIRED) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED) @@ -2491,7 +2504,7 @@ else: try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False, client_options=ssl.OP_NO_SSLv3) try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) - if no_sslv2_implies_sslv3_hello(): + if not SSLv3_PEERS_DISALLOWED and no_sslv2_implies_sslv3_hello(): # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3', client_options=ssl.OP_NO_SSLv2)