On Thu, Jan 9, 2014 at 8:20 AM, Alex Gaynor <alex.gaynor@gmail.com> wrote:
Hey all,
There are a number of serious security improvements that have gone into the stdlib SSL module in Python 3. For reasons that defy understanding, the CPython maintainers have decided not to backport them to Python 2.
I'd like to backport a few of them, starting with: blocking SSLv2 by default. How do people feel about this?
There are basically no servers on the internet that use SSLv2, as it's completely broken, so all this does is prevent an attack. The downside is that there'd be no way for a user to turn this off if we do it.
This would be a serious security hardening IMO.
(Note that this mostly only affects OS X, almost every other platform has had SSLv2 turned off in OpenSSL itself).
Any objections? Alex
I think this particular change is fine, especially that on modern linux systems, sslv2 is not supported anyway