1 files changed, 0 insertions, 272 deletions
diff --git a/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch b/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch
deleted file mode 100644
index 321b4afa12..0000000000
--- a/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch
+++ /dev/null
@@ -1,272 +0,0 @@
-From 758e7463c104f71b810c8588166747eeab6148d7 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Sat, 10 Sep 2016 22:43:48 +0200
-Subject: [PATCH 1/4] Issue 28043: SSLContext has improved default settings
-The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
-Upstream-Status: Backport
-[https://github.com/python/cpython/commit/358cfd426ccc0fcd6a7940d306602138e76420ae]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
- Doc/library/ssl.rst  |  9 ++++++-
- Lib/ssl.py           | 30 +++++----------------
- Lib/test/test_ssl.py | 62 +++++++++++++++++++++++---------------------
- Modules/_ssl.c       | 31 ++++++++++++++++++++++
- 4 files changed, 78 insertions(+), 54 deletions(-)
-diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
-index a2f008346b..14f2d68217 100644
--- a/Doc/library/ssl.rst
-+++ b/Doc/library/ssl.rst
-@@ -1151,7 +1151,14 @@ to speed up repeated connections from the same clients.
- 
-    .. versionchanged:: 3.5.3
- 
-      :data:`PROTOCOL_TLS` is the default value.
-+      The context is created with secure default values. The options
-+      :data:`OP_NO_COMPRESSION`, :data:`OP_CIPHER_SERVER_PREFERENCE`,
-+      :data:`OP_SINGLE_DH_USE`, :data:`OP_SINGLE_ECDH_USE`,
-+      :data:`OP_NO_SSLv2` (except for :data:`PROTOCOL_SSLv2`),
-+      and :data:`OP_NO_SSLv3` (except for :data:`PROTOCOL_SSLv3`) are
-+      set by default. The initial cipher suite list contains only ``HIGH``
-+      ciphers, no ``NULL`` ciphers and no ``MD5`` ciphers (except for
-+      :data:`PROTOCOL_SSLv2`).
- 
- 
- :class:`SSLContext` objects have the following methods and attributes:
-diff --git a/Lib/ssl.py b/Lib/ssl.py
-index e1913904f3..4d302a78fa 100644
--- a/Lib/ssl.py
-+++ b/Lib/ssl.py
-@@ -446,32 +446,16 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
-     if not isinstance(purpose, _ASN1Object):
-         raise TypeError(purpose)
- 
-+    # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
-+    # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE
-+    # by default.
-     context = SSLContext(PROTOCOL_TLS)
- 
-    # SSLv2 considered harmful.
-    context.options |= OP_NO_SSLv2
-
-    # SSLv3 has problematic security and is only required for really old
-    # clients such as IE6 on Windows XP
-    context.options |= OP_NO_SSLv3
-
-    # disable compression to prevent CRIME attacks (OpenSSL 1.0+)
-    context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0)
-
-     if purpose == Purpose.SERVER_AUTH:
-         # verify certs and host name in client mode
-         context.verify_mode = CERT_REQUIRED
-         context.check_hostname = True
-     elif purpose == Purpose.CLIENT_AUTH:
-        # Prefer the server's ciphers by default so that we get stronger
-        # encryption
-        context.options |= getattr(_ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
-
-        # Use single use keys in order to improve forward secrecy
-        context.options |= getattr(_ssl, "OP_SINGLE_DH_USE", 0)
-        context.options |= getattr(_ssl, "OP_SINGLE_ECDH_USE", 0)
-
-        # disallow ciphers with known vulnerabilities
-         context.set_ciphers(_RESTRICTED_SERVER_CIPHERS)
- 
-     if cafile or capath or cadata:
-@@ -497,12 +481,10 @@ def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None,
-     if not isinstance(purpose, _ASN1Object):
-         raise TypeError(purpose)
- 
-+    # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
-+    # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE
-+    # by default.
-     context = SSLContext(protocol)
-    # SSLv2 considered harmful.
-    context.options |= OP_NO_SSLv2
-    # SSLv3 has problematic security and is only required for really old
-    # clients such as IE6 on Windows XP
-    context.options |= OP_NO_SSLv3
- 
-     if cert_reqs is not None:
-         context.verify_mode = cert_reqs
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index ffb7314f57..f91af7bd05 100644
--- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -73,6 +73,12 @@ NULLBYTECERT = data_file("nullbytecert.pem")
- DHFILE = data_file("dh1024.pem")
- BYTES_DHFILE = os.fsencode(DHFILE)
- 
-+# Not defined in all versions of OpenSSL
-+OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
-+OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
-+OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
-+OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
-+
- 
- def handle_error(prefix):
-     exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
-@@ -839,8 +845,9 @@ class ContextTests(unittest.TestCase):
-         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-         # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
-         default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
-        if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
-            default |= ssl.OP_NO_COMPRESSION
-+        # SSLContext also enables these by default
-+        default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
-+                    OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE)
-         self.assertEqual(default, ctx.options)
-         ctx.options |= ssl.OP_NO_TLSv1
-         self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
-@@ -1205,16 +1212,29 @@ class ContextTests(unittest.TestCase):
-             stats["x509"] += 1
-             self.assertEqual(ctx.cert_store_stats(), stats)
- 
-+    def _assert_context_options(self, ctx):
-+        self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
-+        if OP_NO_COMPRESSION != 0:
-+            self.assertEqual(ctx.options & OP_NO_COMPRESSION,
-+                             OP_NO_COMPRESSION)
-+        if OP_SINGLE_DH_USE != 0:
-+            self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
-+                             OP_SINGLE_DH_USE)
-+        if OP_SINGLE_ECDH_USE != 0:
-+            self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
-+                             OP_SINGLE_ECDH_USE)
-+        if OP_CIPHER_SERVER_PREFERENCE != 0:
-+            self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
-+                             OP_CIPHER_SERVER_PREFERENCE)
-+
-     def test_create_default_context(self):
-         ctx = ssl.create_default_context()
-+
-         self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
-         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
-         self.assertTrue(ctx.check_hostname)
-        self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
-        self.assertEqual(
-            ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
-            getattr(ssl, "OP_NO_COMPRESSION", 0),
-        )
-+        self._assert_context_options(ctx)
-+
- 
-         with open(SIGNING_CA) as f:
-             cadata = f.read()
-@@ -1222,40 +1242,24 @@ class ContextTests(unittest.TestCase):
-                                          cadata=cadata)
-         self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
-         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
-        self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
-        self.assertEqual(
-            ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
-            getattr(ssl, "OP_NO_COMPRESSION", 0),
-        )
-+        self._assert_context_options(ctx)
- 
-         ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-         self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
-         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
-        self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
-        self.assertEqual(
-            ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
-            getattr(ssl, "OP_NO_COMPRESSION", 0),
-        )
-        self.assertEqual(
-            ctx.options & getattr(ssl, "OP_SINGLE_DH_USE", 0),
-            getattr(ssl, "OP_SINGLE_DH_USE", 0),
-        )
-        self.assertEqual(
-            ctx.options & getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
-            getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
-        )
-+        self._assert_context_options(ctx)
- 
-     def test__create_stdlib_context(self):
-         ctx = ssl._create_stdlib_context()
-         self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
-         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
-         self.assertFalse(ctx.check_hostname)
-        self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
-+        self._assert_context_options(ctx)
- 
-         ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
-         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
-         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
-        self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
-+        self._assert_context_options(ctx)
- 
-         ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1,
-                                          cert_reqs=ssl.CERT_REQUIRED,
-@@ -1263,12 +1267,12 @@ class ContextTests(unittest.TestCase):
-         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
-         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
-         self.assertTrue(ctx.check_hostname)
-        self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
-+        self._assert_context_options(ctx)
- 
-         ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
-         self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
-         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
-        self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
-+        self._assert_context_options(ctx)
- 
-     def test_check_hostname(self):
-         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-diff --git a/Modules/_ssl.c b/Modules/_ssl.c
-index 86482677ae..0d5c121d2c 100644
--- a/Modules/_ssl.c
-+++ b/Modules/_ssl.c
-@@ -2330,6 +2330,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
-     PySSLContext *self;
-     long options;
-     SSL_CTX *ctx = NULL;
-+    int result;
- #if defined(SSL_MODE_RELEASE_BUFFERS)
-     unsigned long libver;
- #endif
-@@ -2393,8 +2394,38 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
-         options |= SSL_OP_NO_SSLv2;
-     if (proto_version != PY_SSL_VERSION_SSL3)
-         options |= SSL_OP_NO_SSLv3;
-+    /* Minimal security flags for server and client side context.
-+     * Client sockets ignore server-side parameters. */
-+#ifdef SSL_OP_NO_COMPRESSION
-+    options |= SSL_OP_NO_COMPRESSION;
-+#endif
-+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-+    options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
-+#endif
-+#ifdef SSL_OP_SINGLE_DH_USE
-+    options |= SSL_OP_SINGLE_DH_USE;
-+#endif
-+#ifdef SSL_OP_SINGLE_ECDH_USE
-+    options |= SSL_OP_SINGLE_ECDH_USE;
-+#endif
-     SSL_CTX_set_options(self->ctx, options);
- 
-+    /* A bare minimum cipher list without completly broken cipher suites.
-+     * It's far from perfect but gives users a better head start. */
-+    if (proto_version != PY_SSL_VERSION_SSL2) {
-+        result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:!MD5");
-+    } else {
-+        /* SSLv2 needs MD5 */
-+        result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL");
-+    }
-+    if (result == 0) {
-+        Py_DECREF(self);
-+        ERR_clear_error();
-+        PyErr_SetString(PySSLErrorObject,
-+                        "No cipher can be selected.");
-+        return NULL;
-+    }
-+
- #if defined(SSL_MODE_RELEASE_BUFFERS)
-     /* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory
-        usage for no cost at all. However, don't do this for OpenSSL versions
-- 
-2.17.1

diff --git a/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch b/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch deleted file mode 100644 index 321b4afa12..0000000000 --- a/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch +++ /dev/null
@@ -1,272 +0,0 @@
1	From 758e7463c104f71b810c8588166747eeab6148d7 Mon Sep 17 00:00:00 2001
2	From: Christian Heimes <christian@python.org>
3	Date: Sat, 10 Sep 2016 22:43:48 +0200
4	Subject: [PATCH 1/4] Issue 28043: SSLContext has improved default settings
5
6	The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
7
8	Upstream-Status: Backport
9	[https://github.com/python/cpython/commit/358cfd426ccc0fcd6a7940d306602138e76420ae]
10
11	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
12	---
13	Doc/library/ssl.rst \| 9 ++++++-
14	Lib/ssl.py \| 30 +++++----------------
15	Lib/test/test_ssl.py \| 62 +++++++++++++++++++++++---------------------
16	Modules/_ssl.c \| 31 ++++++++++++++++++++++
17	4 files changed, 78 insertions(+), 54 deletions(-)
18
19	diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
20	index a2f008346b..14f2d68217 100644
21	--- a/Doc/library/ssl.rst
22	+++ b/Doc/library/ssl.rst
23	@@ -1151,7 +1151,14 @@ to speed up repeated connections from the same clients.
24
25	.. versionchanged:: 3.5.3
26
27	- :data:`PROTOCOL_TLS` is the default value.
28	+ The context is created with secure default values. The options
29	+ :data:`OP_NO_COMPRESSION`, :data:`OP_CIPHER_SERVER_PREFERENCE`,
30	+ :data:`OP_SINGLE_DH_USE`, :data:`OP_SINGLE_ECDH_USE`,
31	+ :data:`OP_NO_SSLv2` (except for :data:`PROTOCOL_SSLv2`),
32	+ and :data:`OP_NO_SSLv3` (except for :data:`PROTOCOL_SSLv3`) are
33	+ set by default. The initial cipher suite list contains only ``HIGH``
34	+ ciphers, no ``NULL`` ciphers and no ``MD5`` ciphers (except for
35	+ :data:`PROTOCOL_SSLv2`).
36
37
38	:class:`SSLContext` objects have the following methods and attributes:
39	diff --git a/Lib/ssl.py b/Lib/ssl.py
40	index e1913904f3..4d302a78fa 100644
41	--- a/Lib/ssl.py
42	+++ b/Lib/ssl.py
43	@@ -446,32 +446,16 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
44	if not isinstance(purpose, _ASN1Object):
45	raise TypeError(purpose)
46
47	+ # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
48	+ # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE
49	+ # by default.
50	context = SSLContext(PROTOCOL_TLS)
51
52	- # SSLv2 considered harmful.
53	- context.options \|= OP_NO_SSLv2
54	-
55	- # SSLv3 has problematic security and is only required for really old
56	- # clients such as IE6 on Windows XP
57	- context.options \|= OP_NO_SSLv3
58	-
59	- # disable compression to prevent CRIME attacks (OpenSSL 1.0+)
60	- context.options \|= getattr(_ssl, "OP_NO_COMPRESSION", 0)
61	-
62	if purpose == Purpose.SERVER_AUTH:
63	# verify certs and host name in client mode
64	context.verify_mode = CERT_REQUIRED
65	context.check_hostname = True
66	elif purpose == Purpose.CLIENT_AUTH:
67	- # Prefer the server's ciphers by default so that we get stronger
68	- # encryption
69	- context.options \|= getattr(_ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
70	-
71	- # Use single use keys in order to improve forward secrecy
72	- context.options \|= getattr(_ssl, "OP_SINGLE_DH_USE", 0)
73	- context.options \|= getattr(_ssl, "OP_SINGLE_ECDH_USE", 0)
74	-
75	- # disallow ciphers with known vulnerabilities
76	context.set_ciphers(_RESTRICTED_SERVER_CIPHERS)
77
78	if cafile or capath or cadata:
79	@@ -497,12 +481,10 @@ def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None,
80	if not isinstance(purpose, _ASN1Object):
81	raise TypeError(purpose)
82
83	+ # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
84	+ # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE
85	+ # by default.
86	context = SSLContext(protocol)
87	- # SSLv2 considered harmful.
88	- context.options \|= OP_NO_SSLv2
89	- # SSLv3 has problematic security and is only required for really old
90	- # clients such as IE6 on Windows XP
91	- context.options \|= OP_NO_SSLv3
92
93	if cert_reqs is not None:
94	context.verify_mode = cert_reqs
95	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
96	index ffb7314f57..f91af7bd05 100644
97	--- a/Lib/test/test_ssl.py
98	+++ b/Lib/test/test_ssl.py
99	@@ -73,6 +73,12 @@ NULLBYTECERT = data_file("nullbytecert.pem")
100	DHFILE = data_file("dh1024.pem")
101	BYTES_DHFILE = os.fsencode(DHFILE)
102
103	+# Not defined in all versions of OpenSSL
104	+OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
105	+OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
106	+OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
107	+OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
108	+
109
110	def handle_error(prefix):
111	exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
112	@@ -839,8 +845,9 @@ class ContextTests(unittest.TestCase):
113	ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
114	# OP_ALL \| OP_NO_SSLv2 \| OP_NO_SSLv3 is the default value
115	default = (ssl.OP_ALL \| ssl.OP_NO_SSLv2 \| ssl.OP_NO_SSLv3)
116	- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
117	- default \|= ssl.OP_NO_COMPRESSION
118	+ # SSLContext also enables these by default
119	+ default \|= (OP_NO_COMPRESSION \| OP_CIPHER_SERVER_PREFERENCE \|
120	+ OP_SINGLE_DH_USE \| OP_SINGLE_ECDH_USE)
121	self.assertEqual(default, ctx.options)
122	ctx.options \|= ssl.OP_NO_TLSv1
123	self.assertEqual(default \| ssl.OP_NO_TLSv1, ctx.options)
124	@@ -1205,16 +1212,29 @@ class ContextTests(unittest.TestCase):
125	stats["x509"] += 1
126	self.assertEqual(ctx.cert_store_stats(), stats)
127
128	+ def _assert_context_options(self, ctx):
129	+ self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
130	+ if OP_NO_COMPRESSION != 0:
131	+ self.assertEqual(ctx.options & OP_NO_COMPRESSION,
132	+ OP_NO_COMPRESSION)
133	+ if OP_SINGLE_DH_USE != 0:
134	+ self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
135	+ OP_SINGLE_DH_USE)
136	+ if OP_SINGLE_ECDH_USE != 0:
137	+ self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
138	+ OP_SINGLE_ECDH_USE)
139	+ if OP_CIPHER_SERVER_PREFERENCE != 0:
140	+ self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
141	+ OP_CIPHER_SERVER_PREFERENCE)
142	+
143	def test_create_default_context(self):
144	ctx = ssl.create_default_context()
145	+
146	self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
147	self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
148	self.assertTrue(ctx.check_hostname)
149	- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
150	- self.assertEqual(
151	- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
152	- getattr(ssl, "OP_NO_COMPRESSION", 0),
153	- )
154	+ self._assert_context_options(ctx)
155	+
156
157	with open(SIGNING_CA) as f:
158	cadata = f.read()
159	@@ -1222,40 +1242,24 @@ class ContextTests(unittest.TestCase):
160	cadata=cadata)
161	self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
162	self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
163	- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
164	- self.assertEqual(
165	- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
166	- getattr(ssl, "OP_NO_COMPRESSION", 0),
167	- )
168	+ self._assert_context_options(ctx)
169
170	ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
171	self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
172	self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
173	- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
174	- self.assertEqual(
175	- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
176	- getattr(ssl, "OP_NO_COMPRESSION", 0),
177	- )
178	- self.assertEqual(
179	- ctx.options & getattr(ssl, "OP_SINGLE_DH_USE", 0),
180	- getattr(ssl, "OP_SINGLE_DH_USE", 0),
181	- )
182	- self.assertEqual(
183	- ctx.options & getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
184	- getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
185	- )
186	+ self._assert_context_options(ctx)
187
188	def test__create_stdlib_context(self):
189	ctx = ssl._create_stdlib_context()
190	self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
191	self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
192	self.assertFalse(ctx.check_hostname)
193	- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
194	+ self._assert_context_options(ctx)
195
196	ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
197	self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
198	self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
199	- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
200	+ self._assert_context_options(ctx)
201
202	ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1,
203	cert_reqs=ssl.CERT_REQUIRED,
204	@@ -1263,12 +1267,12 @@ class ContextTests(unittest.TestCase):
205	self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
206	self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
207	self.assertTrue(ctx.check_hostname)
208	- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
209	+ self._assert_context_options(ctx)
210
211	ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
212	self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
213	self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
214	- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
215	+ self._assert_context_options(ctx)
216
217	def test_check_hostname(self):
218	ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
219	diff --git a/Modules/_ssl.c b/Modules/_ssl.c
220	index 86482677ae..0d5c121d2c 100644
221	--- a/Modules/_ssl.c
222	+++ b/Modules/_ssl.c
223	@@ -2330,6 +2330,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
224	PySSLContext *self;
225	long options;
226	SSL_CTX *ctx = NULL;
227	+ int result;
228	#if defined(SSL_MODE_RELEASE_BUFFERS)
229	unsigned long libver;
230	#endif
231	@@ -2393,8 +2394,38 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
232	options \|= SSL_OP_NO_SSLv2;
233	if (proto_version != PY_SSL_VERSION_SSL3)
234	options \|= SSL_OP_NO_SSLv3;
235	+ /* Minimal security flags for server and client side context.
236	+ * Client sockets ignore server-side parameters. */
237	+#ifdef SSL_OP_NO_COMPRESSION
238	+ options \|= SSL_OP_NO_COMPRESSION;
239	+#endif
240	+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
241	+ options \|= SSL_OP_CIPHER_SERVER_PREFERENCE;
242	+#endif
243	+#ifdef SSL_OP_SINGLE_DH_USE
244	+ options \|= SSL_OP_SINGLE_DH_USE;
245	+#endif
246	+#ifdef SSL_OP_SINGLE_ECDH_USE
247	+ options \|= SSL_OP_SINGLE_ECDH_USE;
248	+#endif
249	SSL_CTX_set_options(self->ctx, options);
250
251	+ /* A bare minimum cipher list without completly broken cipher suites.
252	+ * It's far from perfect but gives users a better head start. */
253	+ if (proto_version != PY_SSL_VERSION_SSL2) {
254	+ result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:!MD5");
255	+ } else {
256	+ /* SSLv2 needs MD5 */
257	+ result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL");
258	+ }
259	+ if (result == 0) {
260	+ Py_DECREF(self);
261	+ ERR_clear_error();
262	+ PyErr_SetString(PySSLErrorObject,
263	+ "No cipher can be selected.");
264	+ return NULL;
265	+ }
266	+
267	#if defined(SSL_MODE_RELEASE_BUFFERS)
268	/* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory
269	usage for no cost at all. However, don't do this for OpenSSL versions
270	--
271	2.17.1
272