Message 214499 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	alex, christian.heimes, dstufft, pitrou
Date	2014-03-22.18:13:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1395512016.2300.2.camel@fsol>
In-reply-to	<1395511847.78.0.843474107911.issue21013@psf.upfronthosting.co.za>

Content
> We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's > sort of a situational thing. If you're doing something where you need > SSL3 clients you don't want OP_NO_SSLv3. > > So I guess the question is, do we want to be more secure by default > and not lower the lower bounds of security and require people to add > context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3 > connections? Most people won't understand the symptoms if some clients can't connect, so I'd say no. Also, clients should always use the higher possible protocol version, so I don't think security is at stake here.

> We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's
> sort of a situational thing. If you're doing something where you need
> SSL3 clients you don't want OP_NO_SSLv3.
> 
> So I guess the question is, do we want to be more secure by default
> and *not* lower the lower bounds of security and require people to add
> context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3
> connections?

Most people won't understand the symptoms if some clients can't connect,
so I'd say no.
Also, clients should always use the higher possible protocol version, so
I don't think security is at stake here.

History
Date	User	Action	Args
2014-03-22 18:13:39	pitrou	set	recipients: + pitrou, christian.heimes, alex, dstufft
2014-03-22 18:13:39	pitrou	link	issue21013 messages
2014-03-22 18:13:39	pitrou	create