msg207762 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-09 17:23 |
It sounds like we may deprecate PROTOCOL_SSLv2 in 3.5.
|
msg207763 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2014-01-09 17:34 |
See also issue #20207.
|
msg207773 - (view) |
Author: R. David Murray (r.david.murray) * |
Date: 2014-01-09 19:00 |
Why not in 3.4?
|
msg207774 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-09 19:01 |
It sounds a bit too late, although that would be Larry's call.
|
msg207775 - (view) |
Author: R. David Murray (r.david.murray) * |
Date: 2014-01-09 19:02 |
I don't see why a deprecation would be late, since we haven't hit RC yet. A deprecation doesn't change the API. But yes, it is Larry's call.
|
msg207778 - (view) |
Author: Larry Hastings (larry) * |
Date: 2014-01-09 19:15 |
Would the patch be about as simple as the patch for 2.7 in #20207?
Also, #20207 is also marked for 3.4. Either unmark 3.4/3.5 in #20207, or close this bug as a duplicate.
|
msg207779 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-09 19:16 |
Those bugs are orthogonal, Larry.
|
msg207780 - (view) |
Author: Larry Hastings (larry) * |
Date: 2014-01-09 19:17 |
Okay, then, can you educate me on what you're proposing here?
|
msg207781 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-09 19:19 |
The ssl module has an attribute named PROTOCOL_SSLv2 that I'm proposing to deprecate.
|
msg207782 - (view) |
Author: Larry Hastings (larry) * |
Date: 2014-01-09 19:21 |
Is there any way to use SSLv2 in 3.4?
|
msg207783 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-09 19:22 |
> Is there any way to use SSLv2 in 3.4?
Yes, by using PROTOCOL_SSLv2.
(you're asking strange questions)
|
msg207784 - (view) |
Author: Larry Hastings (larry) * |
Date: 2014-01-09 19:26 |
I don't have a lot of context for this. It sounds like #20207 proposes to remove the ability to use SSLv2 at all. And in the comments Alex Gaynor seems to say that SSLv2 is already disabled in Python 3.
If #20207 happens for 3.4, would it still be possible to use SSLv2?
|
msg207785 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-09 19:27 |
> If #20207 happens for 3.4, would it still be possible to use SSLv2?
#20207 has already happened for 3.4 and, yes, it's still possible to use SSLv2 (except that many distros also disable SSLv2 in their OpenSSL build).
The commit message is quite clear about that: """Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for."""
|
msg207786 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-09 19:28 |
(FTR, Alex's comment mixes up the default settings used by urlopen() with what the ssl module allows to do when invoked directly)
|
msg207787 - (view) |
Author: Larry Hastings (larry) * |
Date: 2014-01-09 19:35 |
If we removed it completely (which I'm *not* proposing, just gathering data) how many people would it affect?
Is there any legitimate reason why some people would want SSLv2? Like "we aren't allowed to upgrade this server" or something.
|
msg207790 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-09 20:33 |
> If we removed it completely (which I'm *not* proposing, just gathering
> data) how many people would it affect?
What I'm proposing is to remove it after we deprecate it.
I don't think it would affect many people, if any, but we still should
have a deprecation period.
> Is there any legitimate reason why some people would want SSLv2? Like
> "we aren't allowed to upgrade this server" or something.
The only reason I could think about is some embedded equipment or device
with a built-in SSL-based server.
|
msg207791 - (view) |
Author: Larry Hastings (larry) * |
Date: 2014-01-09 20:37 |
Okay, you have my permission to mark it pending deprecated.
> What I'm proposing is to remove it after we deprecate it.
I understand the deprecation process. Like I said, I was just trying to get a sense of how many people would be affected.
|
msg209106 - (view) |
Author: Derek Wilson (underrun) |
Date: 2014-01-24 18:52 |
sslv2 should not be deprecated yet.
in the field of security research it is highly valuable to locate servers that are still using sslv2 because it is a security risk.
i'm fine with making it not used by default, but there is no reason to remove the capability from the language itself. thats way overkill.
once sslv2 is no longer in the wild i have no problem with deprecation but the fact is that there is still a strong reason to keep the capability around.
|
msg209107 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-01-24 18:56 |
Thanks for the insight. Then I suggest to close this issue as postponed or rejected.
|
msg209125 - (view) |
Author: Larry Hastings (larry) * |
Date: 2014-01-24 21:45 |
I agree.
|
|
Date |
User |
Action |
Args |
2022-04-11 14:57:56 | admin | set | github: 64408 |
2014-01-24 21:49:46 | pitrou | set | status: open -> closed resolution: rejected |
2014-01-24 21:45:52 | larry | set | messages:
+ msg209125 |
2014-01-24 18:56:01 | pitrou | set | messages:
+ msg209107 |
2014-01-24 18:52:56 | underrun | set | nosy:
+ underrun messages:
+ msg209106
|
2014-01-10 17:51:03 | pitrou | set | nosy:
+ hynek
|
2014-01-09 20:54:14 | pitrou | set | versions:
+ Python 3.4 |
2014-01-09 20:37:40 | larry | set | messages:
+ msg207791 |
2014-01-09 20:33:53 | pitrou | set | messages:
+ msg207790 |
2014-01-09 19:35:59 | larry | set | messages:
+ msg207787 |
2014-01-09 19:28:08 | pitrou | set | messages:
+ msg207786 |
2014-01-09 19:27:26 | pitrou | set | messages:
+ msg207785 |
2014-01-09 19:26:06 | larry | set | messages:
+ msg207784 |
2014-01-09 19:22:20 | pitrou | set | messages:
+ msg207783 |
2014-01-09 19:21:13 | larry | set | messages:
+ msg207782 |
2014-01-09 19:19:23 | pitrou | set | messages:
+ msg207781 |
2014-01-09 19:17:11 | larry | set | messages:
+ msg207780 |
2014-01-09 19:16:13 | pitrou | set | messages:
+ msg207779 |
2014-01-09 19:15:50 | larry | set | messages:
+ msg207778 |
2014-01-09 19:02:43 | r.david.murray | set | messages:
+ msg207775 |
2014-01-09 19:01:16 | pitrou | set | nosy:
+ larry messages:
+ msg207774
|
2014-01-09 19:00:44 | r.david.murray | set | nosy:
+ r.david.murray messages:
+ msg207773
|
2014-01-09 17:34:20 | vstinner | set | nosy:
+ vstinner messages:
+ msg207763
|
2014-01-09 17:23:59 | pitrou | create | |