classification
Title: Disable SSLv2 in Python 2.x
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.4, Python 3.3, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: alex, christian.heimes, dstufft, haypo, hynek, pitrou, python-dev
Priority: normal Keywords: patch

Created on 2014-01-09 16:48 by alex, last changed 2014-01-09 23:07 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
no_sslv2.patch pitrou, 2014-01-09 17:00
Messages (15)
msg207748 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-01-09 16:48
SSLv2 has numerous security issues, and thus is in limited use on the web. Continuing to allow SSLv2 handshakes only serves to limit security.
msg207749 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-01-09 16:48
+1
msg207750 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 16:51
Please qualify the request a bit: do you mean something should be done in the ssl module? One solution is to add OP_NO_SSLv2 when the user asks for a PROTOCOL_SSLv23 socket. Is it what you mean?
msg207751 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-01-09 16:51
Yes, OP_NO_SSLv2 should be used by default.
msg207752 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 17:00
Here is a patch. Can someone try it with a non-patched OpenSSL? (e.g. OS X)
msg207753 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 17:00
(by trying, I mean at least "./python -m test.regrtest -unetwork -v test_ssl")
msg207754 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 17:03
Note that this probably would have to be applied to 3.x too, for consistency.
msg207755 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-01-09 17:07
I can confirm the tests pass on OS X and it's possible to open a connection to howsmyssl.com
msg207759 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-01-09 17:21
I'm not sure this is needed on Python 3, it already has: http://hg.python.org/cpython/file/default/Lib/ssl.py#l388
msg207760 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 17:22
> I'm not sure this is needed on Python 3, it already has:
> http://hg.python.org/cpython/file/default/Lib/ssl.py#l388

It doesn't get executed when you create a SSLContext directly, though.
msg207761 - (view) Author: Hynek Schlawack (hynek) * (Python committer) Date: 2014-01-09 17:22
I’m +1 too since supporting it serves no other purpose then enabling downgrade attacks. Shipping a client with SSL 2 on is nothing short a security bug.
msg207768 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2014-01-09 18:26
> Here is a patch. Can someone try it with a non-patched OpenSSL? (e.g. OS X)

How can I test that SSLv2 is disabled?
msg207771 - (view) Author: Roundup Robot (python-dev) Date: 2014-01-09 18:52
New changeset 163c09041280 by Antoine Pitrou in branch '2.7':
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
http://hg.python.org/cpython/rev/163c09041280
msg207776 - (view) Author: Roundup Robot (python-dev) Date: 2014-01-09 19:09
New changeset 613b403ca9f1 by Antoine Pitrou in branch '3.3':
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
http://hg.python.org/cpython/rev/613b403ca9f1

New changeset e02288de43ed by Antoine Pitrou in branch 'default':
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
http://hg.python.org/cpython/rev/e02288de43ed
msg207777 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 19:10
This should be ok now. Let's hope no buildbots will complain...
History
Date User Action Args
2014-01-09 23:07:41pitrousetstatus: pending -> closed
2014-01-09 19:10:42pitrousetstatus: open -> pending
resolution: fixed
messages: + msg207777

stage: resolved
2014-01-09 19:09:12python-devsetmessages: + msg207776
2014-01-09 18:52:19python-devsetnosy: + python-dev
messages: + msg207771
2014-01-09 18:26:32hayposetmessages: + msg207768
2014-01-09 18:25:17hayposetnosy: + haypo
2014-01-09 17:22:37hyneksetnosy: + hynek
messages: + msg207761
2014-01-09 17:22:04pitrousetmessages: + msg207760
2014-01-09 17:21:13alexsetmessages: + msg207759
2014-01-09 17:07:54alexsetmessages: + msg207755
2014-01-09 17:03:11pitrousetmessages: + msg207754
versions: + Python 3.3, Python 3.4
2014-01-09 17:01:53christian.heimessetnosy: + christian.heimes
2014-01-09 17:00:52pitrousetmessages: + msg207753
2014-01-09 17:00:07pitrousetfiles: + no_sslv2.patch
keywords: + patch
messages: + msg207752
2014-01-09 16:51:42alexsetmessages: + msg207751
2014-01-09 16:51:09pitrousettype: behavior

messages: + msg207750
nosy: + pitrou
2014-01-09 16:48:44dstufftsetnosy: + dstufft
messages: + msg207749
2014-01-09 16:48:05alexcreate