From 10aaca9941ac6e7658de4586c8e9b28a0e9bd4b3 Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Wed, 11 Nov 2015 22:38:41 -0800
Subject: always set OP_NO_SSLv3 by default (closes #25530)

---
 Modules/_ssl.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'Modules/_ssl.c')

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index a327ae289c..398a43aaf8 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2046,6 +2046,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
     options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
     if (proto_version != PY_SSL_VERSION_SSL2)
         options |= SSL_OP_NO_SSLv2;
+    if (proto_version != PY_SSL_VERSION_SSL3)
+        options |= SSL_OP_NO_SSLv3;
     SSL_CTX_set_options(self->ctx, options);
 
 #ifndef OPENSSL_NO_ECDH
-- 
cgit v1.2.1