[Python-Dev] Disabling SSL 3.0
Victor Stinner
victor.stinner at gmail.com
Wed Oct 15 01:16:26 CEST 2014
Hi,
I opened an issue to track this vulnerability:
http://bugs.python.org/issue22638
SSL 3.0 is 8 years old, I guess that TLS is now widely deployed and
well supported?
I guess that Linux vendors will have to fix the issues directly in
OpenSSL directly. Should Python only be changed on Windows?
Or do you want to modify Python to disable SSLv3 in the ssl module?
OpenSSL provides a SSL_OP_NO_SSLv2 option for SSL context. Is there a
SSL_OP_NO_SSLv3 option? Or only change the constructor of
ssl.SSLContext?
Victor
2014-10-15 1:00 GMT+02:00 Donald Stufft <donald at stufft.io>:
> A big security breach of SSL 3.0 just dropped a little while ago (named POODLE).
> With this there is now no ability to securely connect via SSL 3.0. I believe
> that we should disable SSL 3.0 in Python similarly to how SSL 2.0 is disabled,
> where it is disabled by default unless the user has explicitly re-enabled it.
>
> The new attack essentially allows reading the sensitive data from within a SSL
> 3.0 connection stream. It takes roughly 256 requests to break a single byte so
> the attack is very practical. You can read more about the attack here at the
> google announcement [1] or the whitepaper [2].
>
> [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
> [2] https://www.openssl.org/~bodo/ssl-poodle.pdf
>
> ---
> Donald Stufft
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/victor.stinner%40gmail.com
More information about the Python-Dev
mailing list