[Python-Dev] Disabling SSL 3.0

Antoine Pitrou solipsis at pitrou.net
Wed Oct 15 01:20:14 CEST 2014

On Wed, 15 Oct 2014 01:16:26 +0200
Victor Stinner <victor.stinner at gmail.com> wrote:
> Hi,
> I opened an issue to track this vulnerability:
> http://bugs.python.org/issue22638
> SSL 3.0 is 8 years old, I guess that TLS is now widely deployed and
> well supported?
> I guess that Linux vendors will have to fix the issues directly in
> OpenSSL directly. Should Python only be changed on Windows?

If OpenSSL gets a patch, we can simply update the OpenSSL version used
for Windows installers.

> Or do you want to modify Python to disable SSLv3 in the ssl module?
> OpenSSL provides a SSL_OP_NO_SSLv2 option for SSL context. Is there a
> SSL_OP_NO_SSLv3 option? Or only change the constructor of
> ssl.SSLContext?

Please let's not have this discussion on two different channels.
*Either* the bug tracker or the mailing-list.

Thank you


More information about the Python-Dev mailing list