[pypy-dev] SSL in the stdlib
Maciej Fijalkowski
fijall at gmail.com
Thu Jan 9 09:14:14 CET 2014
On Thu, Jan 9, 2014 at 8:20 AM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
> Hey all,
>
> There are a number of serious security improvements that have gone into the
> stdlib SSL module in Python 3. For reasons that defy understanding, the
> CPython maintainers have decided not to backport them to Python 2.
>
> I'd like to backport a few of them, starting with: blocking SSLv2 by
> default. How do people feel about this?
>
> There are basically no servers on the internet that use SSLv2, as it's
> completely broken, so all this does is prevent an attack. The downside is
> that there'd be no way for a user to turn this off if we do it.
>
> This would be a serious security hardening IMO.
>
> (Note that this mostly only affects OS X, almost every other platform has
> had SSLv2 turned off in OpenSSL itself).
>
> Any objections?
> Alex
I think this particular change is fine, especially that on modern
linux systems, sslv2 is not supported anyway
More information about the pypy-dev
mailing list