classification
Title: ssl: OP_NO_SSLv3 should always be set unless a user specifically asks for it
Type: Stage: resolved
Components: Library (Lib) Versions: Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou, python-dev
Priority: normal Keywords: needs review, patch, security_issue

Created on 2015-11-01 19:10 by alex, last changed 2015-11-12 06:45 by python-dev. This issue is now closed.

Files
File name Uploaded Description Edit
sslv3.diff alex, 2015-11-01 19:10 review
sslv3.diff alex, 2015-11-02 12:42 review
Messages (3)
msg253868 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2015-11-01 19:10
SSLv3 is broken, both _create_unverified_context and create_default_context turn it off, but we should make all contexts turn it off, like we do for SSLv2.

A patch is attached.
msg253907 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2015-11-02 12:42
Oops, there were a few failing tests on that patch. New one is green
msg254520 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-11-12 06:45
New changeset d80954d941c7 by Benjamin Peterson in branch '2.7':
always set OP_NO_SSLv3 by default (closes #25530)
https://hg.python.org/cpython/rev/d80954d941c7

New changeset 56f64ec9259f by Benjamin Peterson in branch '3.4':
always set OP_NO_SSLv3 by default (closes #25530)
https://hg.python.org/cpython/rev/56f64ec9259f

New changeset d1737db0f1b2 by Benjamin Peterson in branch '3.5':
merge 3.4 (#25530)
https://hg.python.org/cpython/rev/d1737db0f1b2

New changeset 2899acbd2b46 by Benjamin Peterson in branch 'default':
merge 3.5 (#25530)
https://hg.python.org/cpython/rev/2899acbd2b46
History
Date User Action Args
2015-11-12 06:45:50python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg254520

resolution: fixed
stage: resolved
2015-11-02 12:42:07alexsetfiles: + sslv3.diff

messages: + msg253907
2015-11-01 19:10:54alexcreate