It sounds like we may deprecate PROTOCOL_SSLv2 in 3.5.

See also issue #20207.

Why not in 3.4?

It sounds a bit too late, although that would be Larry's call.

I don't see why a deprecation would be late, since we haven't hit RC yet.  A deprecation doesn't change the API.  But yes, it is Larry's call.

Would the patch be about as simple as the patch for 2.7 in #20207?

Also, #20207 is also marked for 3.4.  Either unmark 3.4/3.5 in #20207, or close this bug as a duplicate.

Those bugs are orthogonal, Larry.

Okay, then, can you educate me on what you're proposing here?

The ssl module has an attribute named PROTOCOL_SSLv2 that I'm proposing to deprecate.

Is there any way to use SSLv2 in 3.4?

> Is there any way to use SSLv2 in 3.4?

Yes, by using PROTOCOL_SSLv2.
(you're asking strange questions)

I don't have a lot of context for this.  It sounds like #20207 proposes to remove the ability to use SSLv2 at all.  And in the comments Alex Gaynor seems to say that SSLv2 is already disabled in Python 3.

If #20207 happens for 3.4, would it still be possible to use SSLv2?

> If #20207 happens for 3.4, would it still be possible to use SSLv2?

#20207 has already happened for 3.4 and, yes, it's still possible to use SSLv2 (except that many distros also disable SSLv2 in their OpenSSL build).

The commit message is quite clear about that: """Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for."""

(FTR, Alex's comment mixes up the default settings used by urlopen() with what the ssl module allows to do when invoked directly)

If we removed it completely (which I'm *not* proposing, just gathering data) how many people would it affect?

Is there any legitimate reason why some people would want SSLv2?  Like "we aren't allowed to upgrade this server" or something.

> If we removed it completely (which I'm *not* proposing, just gathering
> data) how many people would it affect?

What I'm proposing is to remove it after we deprecate it.
I don't think it would affect many people, if any, but we still should
have a deprecation period.

> Is there any legitimate reason why some people would want SSLv2?  Like
> "we aren't allowed to upgrade this server" or something.

The only reason I could think about is some embedded equipment or device
with a built-in SSL-based server.

Okay, you have my permission to mark it pending deprecated.

> What I'm proposing is to remove it after we deprecate it.

I understand the deprecation process.  Like I said, I was just trying to get a sense of how many people would be affected.

sslv2 should not be deprecated yet.

in the field of security research it is highly valuable to locate servers that are still using sslv2 because it is a security risk.

i'm fine with making it not used by default, but there is no reason to remove the capability from the language itself. thats way overkill.

once sslv2 is no longer in the wild i have no problem with deprecation but the fact is that there is still a strong reason to keep the capability around.

Thanks for the insight. Then I suggest to close this issue as postponed or rejected.

I agree.