[New-bugs-announce] [issue13747] ssl_version documentation error

Ben Darnell report at bugs.python.org
Mon Jan 9 20:10:42 CET 2012

New submission from Ben Darnell <ben.darnell at gmail.com>:

The ssl module docs claim that the default ssl_version for client-side operation is SSLv3, but it is actually SSLv23.  The exact behavior depends on the version of openssl:  starting in 1.0 the connection is limited by default to SSLv3 or TLSv1 (as documented in the note below the compatibility table), but in older versions of openssl SSLv2 is allowed by default. 

This is just a documentation error if you've got a recent version of openssl, but it's also a security problem with older versions, since people may have been unknowingly using the weaker SSLv2 protocol.  (I don't know how widespread pre-1.0 versions of openssl are these days, but OSX Lion still ships with 0.9.8)  It would be nice if the default mode were SSLv23 with SSL_OP_NO_SSLv2 set so the defaults would be safe even with older versions of openssl (there's no way to set this configuration from python code before py3.2)

Also, the compatibility table claims that an SSLv3 client can talk to an SSLv2 server, which is incorrect.  SSLv23 clients can talk to SSLv3 and TLSv1 servers if openssl is at least version 1.0 and SSLv2 ciphers are not explicitly enabled.

messages: 150963
nosy: Ben.Darnell
priority: normal
severity: normal
status: open
title: ssl_version documentation error
versions: Python 2.7

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list