changeset:   93849:8bce4ab2223b
branch:      3.4
tag:         tip
parent:      93847:f0297263a1e8
user:        Victor Stinner <victor.stinner@gmail.com>
date:        Fri Dec 12 12:54:34 2014 +0100
files:       Lib/ssl.py Misc/NEWS
description:
Issue #20896, #22935: ssl.get_server_certificate() now uses PROTOCOL_SSLv23,
not PROTOCOL_SSLv3, for maximum compatibility.


diff -r f0297263a1e8 -r 8bce4ab2223b Lib/ssl.py
--- a/Lib/ssl.py	Fri Dec 12 12:27:08 2014 +0100
+++ b/Lib/ssl.py	Fri Dec 12 12:54:34 2014 +0100
@@ -922,7 +922,7 @@ def PEM_cert_to_DER_cert(pem_cert_string
     d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
     return base64.decodebytes(d.encode('ASCII', 'strict'))
 
-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
+def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
     """Retrieve the certificate from the server at the specified address,
     and return it as a PEM-encoded string.
     If 'ca_certs' is specified, validate the server cert against it.
diff -r f0297263a1e8 -r 8bce4ab2223b Misc/NEWS
--- a/Misc/NEWS	Fri Dec 12 12:27:08 2014 +0100
+++ b/Misc/NEWS	Fri Dec 12 12:54:34 2014 +0100
@@ -39,6 +39,11 @@ Core and Builtins
 Library
 -------
 
+- Issue #20896, #22935: :func:`ssl.get_server_certificate` now uses
+  :data:`~ssl.PROTOCOL_SSLv23`, not :data:`~ssl.PROTOCOL_SSLv3`, for maximum
+  compatibility and support platforms where :data:`~ssl.PROTOCOL_SSLv3` support
+  is disabled.
+
 - Issue #22095: Fixed HTTPConnection.set_tunnel with default port.  The port
   value in the host header was set to "None".  Patch by Demian Brecht.