Disable python2.6 ssl3 protocol in centos6

To find out why you need to ban it, search for SSL POODLE. If you replace sslv23 with tlsv1 from the server, clients still using sslv23 will not be able to connect. You need to patch python itself here.

Step 1

Download and unzip the python2.6 source package

wget http://vault.centos.org/6.5/updates/Source/SPackages/python-2.6.6-52.el6.src.rpm
mkdir -p ~/rpmbuild/SOURCES
cd ~/rpmbuild/SOURCES
wget http://vault.centos.org/6.5/updates/Source/SPackages/python-2.6.6-52.el6.src.rpm
rpm2cpio python-2.6.6-52.el6.src.rpm | cpio -idmv

Step 2

Apply the patch

disable-ssl3.patch


--- /dev/null
+++ b/SOURCES/python-2.6-disable-ssl3.patch
@@ -0,0 +1,17 @@
+--- Python-2.6.6.orig/Modules/_ssl.c
++++ Python-2.6.6/Modules/_ssl.c
+@@ -359,7 +386,12 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
+     }
+ 
+     /* ssl compatibility */
+-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
++    long options = SSL_OP_ALL;
++    if (proto_version != PY_SSL_VERSION_SSL2)
++        options |= SSL_OP_NO_SSLv2;
++    if (proto_version != PY_SSL_VERSION_SSL3)
++        options |= SSL_OP_NO_SSLv3;
++    SSL_CTX_set_options(self->ctx, options);
+ 
+     verification_mode = SSL_VERIFY_NONE;
+     if (certreq == PY_SSL_CERT_OPTIONAL)
+
--- a/SOURCES.bak/python.spec
+++ b/SOURCES/python.spec
@@ -47,7 +47,7 @@
 Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 Version: 2.6.6
-Release: 52%{?dist}
+Release: 52%{?dist}_1
 License: Python
 Group: Development/Languages
 Provides: python-abi = %{pybasever}
@@ -453,6 +453,7 @@ Patch171: python-2.6.6-CVE-2013-4238-hostname-check-bypass-in-SSL-module.patch
 # (rhbz#1002983)
 Patch172: python-2.6.6-ssl-memory-leak-_get_peer_alt_names.patch
 
+Patch10000: python-2.6-disable-ssl3.patch
 
 # The core python package contains just the executable and manpages; most of
 # the content is now in the -libs subpackage.
@@ -790,6 +791,8 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
 
 %patch172 -p1
 
+%patch10000 -p1
+
 # Don't build these crypto algorithms; instead rely on _hashlib and OpenSSL:
 for f in md5module.c md5.c shamodule.c sha256module.c sha512module.c; do
     rm Modules/$f

Run this command after putting this file in ~ /

patch < ~/disable-ssl3.patch

Step 3

Rebuild

rpmbuild -ba python.spec

All you have to do is install the last rpm.

Testing if the use of ssl3 was actually banned

openssl s_client -connect ip:port -ssl3

If the handshake fails due to an error, it will be successful.

Recommended Posts

Disable python2.6 ssl3 protocol in centos6
Use Measurement Protocol in Python
Read Protocol Buffers data in Python3
Disable SSL validation without using verify = False in Python requests
2017-03-17 CentOS 6.8> Python 3.6.0 introduced / started / stopped in virutalenv
Quadtree in Python --2
CURL in python
Metaprogramming in Python
Python 3.3 in Anaconda
Geocoding in python
SendKeys in Python
Meta-analysis in Python
Python2.7 + CentOS7 + OpenCV3
Unittest in python
Epoch in Python
Discord in Python
Disable CentOS 7 selinux
Sudoku in Python
DCI in Python
quicksort in python
nCr in python
N-Gram in Python
Programming in python
Plink in Python
Constant in python
Lifegame in Python.
FizzBuzz in Python
Sqlite in python
StepAIC in Python
N-gram in python
LINE-Bot [0] in Python
Csv in python
Disassemble in Python
Reflection in Python
Constant in python
nCr in Python.
format in python
Scons in Python3
Puyo Puyo in python
python in virtualenv
PPAP in Python
Quad-tree in Python
Reflection in Python
Chemistry in Python
Hashable in python
DirectLiNGAM in Python
CentOS8 --Install --Python3
LiNGAM in Python
Flatten in python
flatten in python
Option to disable stdout / stderr buffers in Python
Sorted list in Python
Put matplotlib in Centos7.
Daily AtCoder # 36 in Python
Clustering text in Python
Daily AtCoder # 2 in Python
Implement Enigma in python
Daily AtCoder # 32 in Python
Daily AtCoder # 6 in Python
Edit fonts in Python
Singleton pattern in Python