Python 3.4 has constants and code to enable forcing the ssl_version to TLS 1.1 or 1.2. As it stands now Python 2.7, 3.2, and 3.3 can successfully connect and will use a TLS 1.1 or 1.2 connection if it's available (new enough OpenSSL) but cannot _force_ a connection to use TLS 1.1 or 1.2.

It would be good to backport this from 3.4, it would involve adding constants to ssl.py, and minimal code to _ssl.c to handle actually forcing the TLS method.

Two questions:
- does it fix a bug in Python?
- does it fix a security issue in Python?

Yes, I have been persuaded this fixes a security issue in the Python 2
ecosystem: the current barriers to good web security practices are too high.

I have been vocal in pointing out that Python 2 will remain a commercially
supported platform for at least another decade. However, for that to be a
valid claim, it needs to be possible to make effective use of modern web
protocols and security standards.

This is a PEP level discussion though - I'll get something up by tomorrow.

This is resolved now.