This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients alex, christian.heimes, dstufft, giampaolo.rodola, janssen, mbasti, pitrou, vstinner
Date 2014-10-24.15:13:04
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1414163585.04.0.660417851276.issue22717@psf.upfronthosting.co.za>
In-reply-to
Content
> 317	        self->ctx->options &= ~(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

I don't see this line in Python 2.7.8 vanilla:
https://hg.python.org/cpython/file/ee879c0ffa11/Modules/_ssl.c

It looks like Fedora patched the source code:
http://pkgs.fedoraproject.org/cgit/python.git/tree/00195-enable-sslv23-in-ssl.patch

I see an obvious bug in the Fedora patch: it dereferences self->ctx before checking if self->ctx is NULL.

diff -up Python-2.7.8/Modules/_ssl.c.orig Python-2.7.8/Modules/_ssl.c
--- Python-2.7.8/Modules/_ssl.c.orig	2014-07-17 14:17:32.584362667 +0200
+++ Python-2.7.8/Modules/_ssl.c	2014-07-17 14:17:38.215405930 +0200
@@ -312,8 +312,10 @@ newPySSLObject(PySocketSockObject *Sock,
     else if (proto_version == PY_SSL_VERSION_SSL2)
         self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
 #endif
-    else if (proto_version == PY_SSL_VERSION_SSL23)
+    else if (proto_version == PY_SSL_VERSION_SSL23) {
         self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
+        self->ctx->options &= ~(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+    }
     PySSL_END_ALLOW_THREADS
 
     if (self->ctx == NULL) {
History
Date User Action Args
2014-10-24 15:13:05vstinnersetrecipients: + vstinner, janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft, mbasti
2014-10-24 15:13:05vstinnersetmessageid: <1414163585.04.0.660417851276.issue22717@psf.upfronthosting.co.za>
2014-10-24 15:13:05vstinnerlinkissue22717 messages
2014-10-24 15:13:04vstinnercreate