[Python-Dev] Disabling SSL 3.0
Antoine Pitrou
solipsis at pitrou.net
Wed Oct 15 01:20:14 CEST 2014
On Wed, 15 Oct 2014 01:16:26 +0200
Victor Stinner <victor.stinner at gmail.com> wrote:
> Hi,
>
> I opened an issue to track this vulnerability:
> http://bugs.python.org/issue22638
>
> SSL 3.0 is 8 years old, I guess that TLS is now widely deployed and
> well supported?
>
> I guess that Linux vendors will have to fix the issues directly in
> OpenSSL directly. Should Python only be changed on Windows?
If OpenSSL gets a patch, we can simply update the OpenSSL version used
for Windows installers.
> Or do you want to modify Python to disable SSLv3 in the ssl module?
> OpenSSL provides a SSL_OP_NO_SSLv2 option for SSL context. Is there a
> SSL_OP_NO_SSLv3 option? Or only change the constructor of
> ssl.SSLContext?
Please let's not have this discussion on two different channels.
*Either* the bug tracker or the mailing-list.
Thank you
Antoine.
More information about the Python-Dev
mailing list