Hey all,
There are a number of serious security improvements that have gone into the
stdlib SSL module in Python 3. For reasons that defy understanding, the
CPython maintainers have decided not to backport them to Python 2.
I'd like to backport a few of them, starting with: blocking SSLv2 by
default. How do people feel about this?
There are basically no servers on the internet that use SSLv2, as it's
completely broken, so all this does is prevent an attack. The downside is
that there'd be no way for a user to turn this off if we do it.
This would be a serious security hardening IMO.
(Note that this mostly only affects OS X, almost every other platform has
had SSLv2 turned off in OpenSSL itself).
Any objections?
Alex
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084