classification
Title: Deprecate PROTOCOL_SSLv2
Type: behavior Stage:
Components: Library (Lib) Versions: Python 3.4, Python 3.5
process
Status: closed Resolution: rejected
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, giampaolo.rodola, hynek, janssen, larry, pitrou, r.david.murray, underrun, vstinner
Priority: low Keywords:

Created on 2014-01-09 17:23 by pitrou, last changed 2014-01-24 21:49 by pitrou. This issue is now closed.

Messages (20)
msg207762 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 17:23
It sounds like we may deprecate PROTOCOL_SSLv2 in 3.5.
msg207763 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2014-01-09 17:34
See also issue #20207.
msg207773 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-01-09 19:00
Why not in 3.4?
msg207774 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 19:01
It sounds a bit too late, although that would be Larry's call.
msg207775 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-01-09 19:02
I don't see why a deprecation would be late, since we haven't hit RC yet.  A deprecation doesn't change the API.  But yes, it is Larry's call.
msg207778 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2014-01-09 19:15
Would the patch be about as simple as the patch for 2.7 in #20207?

Also, #20207 is also marked for 3.4.  Either unmark 3.4/3.5 in #20207, or close this bug as a duplicate.
msg207779 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 19:16
Those bugs are orthogonal, Larry.
msg207780 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2014-01-09 19:17
Okay, then, can you educate me on what you're proposing here?
msg207781 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 19:19
The ssl module has an attribute named PROTOCOL_SSLv2 that I'm proposing to deprecate.
msg207782 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2014-01-09 19:21
Is there any way to use SSLv2 in 3.4?
msg207783 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 19:22
> Is there any way to use SSLv2 in 3.4?

Yes, by using PROTOCOL_SSLv2.
(you're asking strange questions)
msg207784 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2014-01-09 19:26
I don't have a lot of context for this.  It sounds like #20207 proposes to remove the ability to use SSLv2 at all.  And in the comments Alex Gaynor seems to say that SSLv2 is already disabled in Python 3.

If #20207 happens for 3.4, would it still be possible to use SSLv2?
msg207785 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 19:27
> If #20207 happens for 3.4, would it still be possible to use SSLv2?

#20207 has already happened for 3.4 and, yes, it's still possible to use SSLv2 (except that many distros also disable SSLv2 in their OpenSSL build).

The commit message is quite clear about that: """Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for."""
msg207786 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 19:28
(FTR, Alex's comment mixes up the default settings used by urlopen() with what the ssl module allows to do when invoked directly)
msg207787 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2014-01-09 19:35
If we removed it completely (which I'm *not* proposing, just gathering data) how many people would it affect?

Is there any legitimate reason why some people would want SSLv2?  Like "we aren't allowed to upgrade this server" or something.
msg207790 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-09 20:33
> If we removed it completely (which I'm *not* proposing, just gathering
> data) how many people would it affect?

What I'm proposing is to remove it after we deprecate it.
I don't think it would affect many people, if any, but we still should
have a deprecation period.

> Is there any legitimate reason why some people would want SSLv2?  Like
> "we aren't allowed to upgrade this server" or something.

The only reason I could think about is some embedded equipment or device
with a built-in SSL-based server.
msg207791 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2014-01-09 20:37
Okay, you have my permission to mark it pending deprecated.

> What I'm proposing is to remove it after we deprecate it.

I understand the deprecation process.  Like I said, I was just trying to get a sense of how many people would be affected.
msg209106 - (view) Author: Derek Wilson (underrun) Date: 2014-01-24 18:52
sslv2 should not be deprecated yet.

in the field of security research it is highly valuable to locate servers that are still using sslv2 because it is a security risk.

i'm fine with making it not used by default, but there is no reason to remove the capability from the language itself. thats way overkill.

once sslv2 is no longer in the wild i have no problem with deprecation but the fact is that there is still a strong reason to keep the capability around.
msg209107 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-01-24 18:56
Thanks for the insight. Then I suggest to close this issue as postponed or rejected.
msg209125 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2014-01-24 21:45
I agree.
History
Date User Action Args
2014-01-24 21:49:46pitrousetstatus: open -> closed
resolution: rejected
2014-01-24 21:45:52larrysetmessages: + msg209125
2014-01-24 18:56:01pitrousetmessages: + msg209107
2014-01-24 18:52:56underrunsetnosy: + underrun
messages: + msg209106
2014-01-10 17:51:03pitrousetnosy: + hynek
2014-01-09 20:54:14pitrousetversions: + Python 3.4
2014-01-09 20:37:40larrysetmessages: + msg207791
2014-01-09 20:33:53pitrousetmessages: + msg207790
2014-01-09 19:35:59larrysetmessages: + msg207787
2014-01-09 19:28:08pitrousetmessages: + msg207786
2014-01-09 19:27:26pitrousetmessages: + msg207785
2014-01-09 19:26:06larrysetmessages: + msg207784
2014-01-09 19:22:20pitrousetmessages: + msg207783
2014-01-09 19:21:13larrysetmessages: + msg207782
2014-01-09 19:19:23pitrousetmessages: + msg207781
2014-01-09 19:17:11larrysetmessages: + msg207780
2014-01-09 19:16:13pitrousetmessages: + msg207779
2014-01-09 19:15:50larrysetmessages: + msg207778
2014-01-09 19:02:43r.david.murraysetmessages: + msg207775
2014-01-09 19:01:16pitrousetnosy: + larry
messages: + msg207774
2014-01-09 19:00:44r.david.murraysetnosy: + r.david.murray
messages: + msg207773
2014-01-09 17:34:20vstinnersetnosy: + vstinner
messages: + msg207763
2014-01-09 17:23:59pitroucreate