It looks like OpenSSL can be compiled without SSLv2 (#ifdef OPENSSL_NO_SSL2). See this bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612780

When compiling Python, I get the following error:
/home/haypo/prog/HG/cpython/Modules/_ssl.c: In function 'context_new':
/home/haypo/prog/HG/cpython/Modules/_ssl.c:1451:9: warning: implicit declaration of function 'SSLv2_method'
/home/haypo/prog/HG/cpython/Modules/_ssl.c:1451:9: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast
/usr/include/openssl/ssl.h:1469:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int'
*** WARNING: renaming "_ssl" since importing it failed: build/lib.linux-x86_64-3.3-pydebug/_ssl.cpython-33dm.so: undefined symbol: SSLv2_method

See also issue #9415.

---

Attached patch makes ssl.PROTOCOL_SSLv2 optional.

I don't know what to do with @skip_if_broken_ubuntu_ssl in test_ssl.py.

Does this happen with a released build of OpenSSL? The Debian bug talks about experimental.

+try:
+    from _ssl import PROTOCOL_SSLv2
+    OPENSSL_NO_SSL2 = False
+except ImportError:
+    OPENSSL_NO_SSL2 = True

Please avoid "negative" constants. Calling it HAS_SSLv2 would be fine.

Also, there should be some doc update mentioning that PROTOCOL_SSLv2 is not always present.

The original bug requesting that SSLv2 be disabled is #589706; the updated openssl package with this change is in Debian unstable and testing now.

> Please avoid "negative" constants. Calling it HAS_SSLv2 would be fine.

I reused the term from ssl.h (#ifdef OPENSSL_NO_SSL2), but yes we can use a different name.

> Also, there should be some doc update mentioning that PROTOCOL_SSLv2
> is not always present.

Ok, I will do that.

Updated patch.

Note: I tried to keep the same enum values for py_ssl_version, it's maybe useless and so "=1" can be removed.

> Updated patch.
> 
> Note: I tried to keep the same enum values for py_ssl_version, it's
> maybe useless and so "=1" can be removed.

Thank you! PROTOCOL_NAMES should stay private and therefore be named
_PROTOCOL_NAMES, IMHO.
Keeping the same enum values is worthwhile, I think.

New changeset 5296c3e2f166 by Victor Stinner in branch 'default':
Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
http://hg.python.org/cpython/rev/5296c3e2f166

> New changeset 5296c3e2f166 by Victor Stinner in branch 'default':
> Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
> http://hg.python.org/cpython/rev/5296c3e2f166

Since it's a bugfix, it should probably go into all branches.

New changeset b7abf0590e1c by Victor Stinner in branch '3.1':
Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
http://hg.python.org/cpython/rev/b7abf0590e1c

New changeset 20beec22764f by Victor Stinner in branch '3.2':
(Merge 3.1) Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
http://hg.python.org/cpython/rev/20beec22764f

New changeset 3c87a13980be by Victor Stinner in branch '2.7':
(Merge 3.1) Issue #12012: ssl.PROTOCOL_SSLv2 becomes optional
http://hg.python.org/cpython/rev/3c87a13980be

> Since it's a bugfix, it should probably go into all branches.

Fixed in 2.7, 3.1, 3.2, 3.3.

Victor, you broke the Solaris gcc buildbot on 2.7.
http://www.python.org/dev/buildbot/all/builders/sparc%20solaris10%20gcc%202.7/builds/837

New changeset d5771ed4ec4e by Victor Stinner in branch '2.7':
Issue #12012: test_ssl uses test_support.import_module()
http://hg.python.org/cpython/rev/d5771ed4ec4e

> Victor, you broke the Solaris gcc buildbot on 2.7.

It should be fixed by d5771ed4ec4e.