classification
Title: Provide a way to disable SSLv2 (or better yet, disable by default)
Type: security Stage:
Components: Library (Lib) Versions: Python 3.2, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: ssl module is missing SSL_OP_NO_SSLv2
View: 4870
Assigned To: Nosy List: giampaolo.rodola, heikki, janssen, pitrou
Priority: normal Keywords:

Created on 2008-08-19 03:06 by heikki, last changed 2010-04-27 21:16 by pitrou. This issue is now closed.

Messages (4)
msg71404 - (view) Author: Heikki Toivonen (heikki) Date: 2008-08-19 03:06
There should be a way to disable SSLv2 since it is insecure. It would be
even better if SSLv2 was disabled out of the box, but maybe there could
be a way to re-enable it.

I made the default to disable SSLv2 in M2Crypto, but those that want it
can explicitly request unsecure connection. You can take a look at
http://svn.osafoundation.org/m2crypto/trunk/M2Crypto/SSL/Context.py to
see how I did it.

Modern web browsers are also removing SSLv2 support from them, so it
should be really rare to actually need v2 anywhere.
msg72447 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2008-09-04 01:15
We might consider this for 3.x.  We didn't want to do this for 2.6, to
maintain compatibility with the older socket.ssl module in Python.
msg103749 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-20 20:40
The new "ciphers" argument in trunk and py3k should do the trick, shouldn't it?
Do note that starting with OpenSSL 1.0.0, SSLv2 is disabled by default when using the "SSLv23" client method (you can re-enable it by specifying "ALL" for the cipher list).
msg104364 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-27 21:16
Someone else requested it and even provided a patch. See you on issue4870.
History
Date User Action Args
2010-04-27 21:16:03pitrousetstatus: pending -> closed
resolution: out of date -> duplicate
superseder: ssl module is missing SSL_OP_NO_SSLv2
messages: + msg104364
2010-04-20 21:26:33giampaolo.rodolasetstatus: open -> pending
2010-04-20 21:19:56giampaolo.rodolasetstatus: pending -> open
nosy: + giampaolo.rodola
2010-04-20 20:40:50pitrousetstatus: open -> pending
versions: + Python 2.7, Python 3.2, - Python 2.6
nosy: + pitrou

messages: + msg103749

resolution: out of date
2008-09-04 01:15:27janssensetnosy: + janssen
messages: + msg72447
2008-08-19 03:06:16heikkicreate