SSLv2 has numerous security issues, and thus is in limited use on the web. Continuing to allow SSLv2 handshakes only serves to limit security.

+1

Please qualify the request a bit: do you mean something should be done in the ssl module? One solution is to add OP_NO_SSLv2 when the user asks for a PROTOCOL_SSLv23 socket. Is it what you mean?

Yes, OP_NO_SSLv2 should be used by default.

Here is a patch. Can someone try it with a non-patched OpenSSL? (e.g. OS X)

(by trying, I mean at least "./python -m test.regrtest -unetwork -v test_ssl")

Note that this probably would have to be applied to 3.x too, for consistency.

I can confirm the tests pass on OS X and it's possible to open a connection to howsmyssl.com

I'm not sure this is needed on Python 3, it already has: http://hg.python.org/cpython/file/default/Lib/ssl.py#l388

> I'm not sure this is needed on Python 3, it already has:
> http://hg.python.org/cpython/file/default/Lib/ssl.py#l388

It doesn't get executed when you create a SSLContext directly, though.

I’m +1 too since supporting it serves no other purpose then enabling downgrade attacks. Shipping a client with SSL 2 on is nothing short a security bug.

> Here is a patch. Can someone try it with a non-patched OpenSSL? (e.g. OS X)

How can I test that SSLv2 is disabled?

New changeset 163c09041280 by Antoine Pitrou in branch '2.7':
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
http://hg.python.org/cpython/rev/163c09041280

New changeset 613b403ca9f1 by Antoine Pitrou in branch '3.3':
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
http://hg.python.org/cpython/rev/613b403ca9f1

New changeset e02288de43ed by Antoine Pitrou in branch 'default':
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
http://hg.python.org/cpython/rev/e02288de43ed

This should be ok now. Let's hope no buildbots will complain...