Message 214502 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	dstufft
Recipients	alex, christian.heimes, dstufft, pitrou
Date	2014-03-22.18:25:25
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1395512725.82.0.0535983447546.issue21013@psf.upfronthosting.co.za>
In-reply-to

Content
To be clear though, a lot of TLS servers out there still have SSL3.0 enabled by default, primarily because of IE6 / XP. I'm on the fence about what the right answer is for create_default_context. From a strictly "best practices for security" sense of view you want to disable SSLv3 (and this matches what create_default_context did prior to my patch). Can we perhaps split the difference and disable SSL3.0 and document what the error looks like when you try to connect with SSL3.0 and how to re-enable it?

To be clear though, a lot of TLS servers out there still have SSL3.0 enabled by default, primarily because of IE6 / XP. I'm on the fence about what the right answer is for create_default_context. From a strictly "best practices for security" sense of view you want to disable SSLv3 (and this matches what create_default_context did prior to my patch).

Can we perhaps split the difference and disable SSL3.0 and document what the error looks like when you try to connect with SSL3.0 and how to re-enable it?

History
Date	User	Action	Args
2014-03-22 18:25:25	dstufft	set	recipients: + dstufft, pitrou, christian.heimes, alex
2014-03-22 18:25:25	dstufft	set	messageid: <1395512725.82.0.0535983447546.issue21013@psf.upfronthosting.co.za>
2014-03-22 18:25:25	dstufft	link	issue21013 messages
2014-03-22 18:25:25	dstufft	create