Issue 3596: Provide a way to disable SSLv2 (or better yet, disable by default)

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/47846

classification

Title:	Provide a way to disable SSLv2 (or better yet, disable by default)
Type:	security	Stage:
Components:	Library (Lib)	Versions:	Python 3.2, Python 2.7

process

Status:	closed	Resolution:	duplicate
Dependencies:		Superseder:	ssl module is missing SSL_OP_NO_SSLv2 View: 4870
Assigned To:		Nosy List:	giampaolo.rodola, heikki, janssen, pitrou
Priority:	normal	Keywords:

Created on 2008-08-19 03:06 by heikki, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (4)
msg71404 - (view)	Author: Heikki Toivonen (heikki)	Date: 2008-08-19 03:06
There should be a way to disable SSLv2 since it is insecure. It would be even better if SSLv2 was disabled out of the box, but maybe there could be a way to re-enable it. I made the default to disable SSLv2 in M2Crypto, but those that want it can explicitly request unsecure connection. You can take a look at http://svn.osafoundation.org/m2crypto/trunk/M2Crypto/SSL/Context.py to see how I did it. Modern web browsers are also removing SSLv2 support from them, so it should be really rare to actually need v2 anywhere.
msg72447 - (view)	Author: Bill Janssen (janssen) *	Date: 2008-09-04 01:15
We might consider this for 3.x. We didn't want to do this for 2.6, to maintain compatibility with the older socket.ssl module in Python.
msg103749 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2010-04-20 20:40
The new "ciphers" argument in trunk and py3k should do the trick, shouldn't it? Do note that starting with OpenSSL 1.0.0, SSLv2 is disabled by default when using the "SSLv23" client method (you can re-enable it by specifying "ALL" for the cipher list).
msg104364 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2010-04-27 21:16
Someone else requested it and even provided a patch. See you on issue4870.

History
Date	User	Action	Args
2022-04-11 14:56:37	admin	set	github: 47846
2010-04-27 21:16:03	pitrou	set	status: pending -> closed resolution: out of date -> duplicate superseder: ssl module is missing SSL_OP_NO_SSLv2 messages: + msg104364
2010-04-20 21:26:33	giampaolo.rodola	set	status: open -> pending
2010-04-20 21:19:56	giampaolo.rodola	set	status: pending -> open nosy: + giampaolo.rodola
2010-04-20 20:40:50	pitrou	set	status: open -> pending versions: + Python 2.7, Python 3.2, - Python 2.6 nosy: + pitrou messages: + msg103749 resolution: out of date
2008-09-04 01:15:27	janssen	set	nosy: + janssen messages: + msg72447
2008-08-19 03:06:16	heikki	create