[Python-Dev] Disabling SSL 3.0

Victor Stinner victor.stinner at gmail.com
Wed Oct 15 01:16:26 CEST 2014


I opened an issue to track this vulnerability:

SSL 3.0 is 8 years old, I guess that TLS is now widely deployed and
well supported?

I guess that Linux vendors will have to fix the issues directly in
OpenSSL directly. Should Python only be changed on Windows?

Or do you want to modify Python to disable SSLv3 in the ssl module?
OpenSSL provides a SSL_OP_NO_SSLv2 option for SSL context. Is there a
SSL_OP_NO_SSLv3 option? Or only change the constructor of


2014-10-15 1:00 GMT+02:00 Donald Stufft <donald at stufft.io>:
> A big security breach of SSL 3.0 just dropped a little while ago (named POODLE).
> With this there is now no ability to securely connect via SSL 3.0. I believe
> that we should disable SSL 3.0 in Python similarly to how SSL 2.0 is disabled,
> where it is disabled by default unless the user has explicitly re-enabled it.
> The new attack essentially allows reading the sensitive data from within a SSL
> 3.0 connection stream. It takes roughly 256 requests to break a single byte so
> the attack is very practical. You can read more about the attack here at the
> google announcement [1] or the whitepaper [2].
> [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
> [2] https://www.openssl.org/~bodo/ssl-poodle.pdf
> ---
> Donald Stufft
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/victor.stinner%40gmail.com

More information about the Python-Dev mailing list