This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: ssl module is missing SSL_OP_NO_SSLv2
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.2
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: janssen Nosy List: exarkun, giampaolo.rodola, heikki, janssen, jeremy.kloth, pitrou
Priority: normal Keywords: patch

Created on 2009-01-07 18:11 by giampaolo.rodola, last changed 2022-04-11 14:56 by admin. This issue is now closed.

File name Uploaded Description Edit
issue4870.diff jeremy.kloth, 2010-01-13 01:49 Patch for Python 2.x trunk
sslopts.patch pitrou, 2010-04-20 23:28
sslopts2.patch pitrou, 2010-04-27 21:08
sslopts3.patch pitrou, 2010-05-16 22:39
sslopts4.patch pitrou, 2010-05-16 23:28
Messages (12)
msg79357 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2009-01-07 18:11
As came out here:
...the ssl module does not provide any facility to disable SSL version
2. This is very important when writing SSLv3/TLSv1 compatible servers.
msg79362 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2009-01-07 19:06
Actually, that's not quite true.  Specifying TLSv1 or SSLv3 on the
server side will disable SSLv2.  However, there's currently no way to
specify SSLv3 *or* TLSv1 *but not* SSLv2.  This looks easy to fix; I'll
add another entry to the list of protocol versions, which when selected
will cause the server to use SSLv23, but will cause SSLv2 clients to be
msg79364 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2009-01-07 19:15
> Actually, that's not quite true.  
> Specifying TLSv1 or SSLv3 on the
> server side will disable SSLv2.

There are use cases like FTPS where it is desirable that servers support
SSLv3 *and* TLSv1.
To do that by using OpenSSL SSLv23 protocol must be specified and SSLv2
must be explicitly disabled afterward.
As far as I've understood, using SSLv23 on the server sides means that
when the client connects it could decide whether using SSLv2, SSLv3 or
msg97679 - (view) Author: Jeremy Kloth (jeremy.kloth) Date: 2010-01-13 01:49
I have developed a patch that adds the ability to disable SSLv2, SSlv3 and TLSv1 when using the SSLv23 method. It changes Modules/_ssl.c, Lib/ and Doc/library/ssl.rst.
msg103792 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-20 23:28
Here is an adapted patch for py3k. It also adds a couple of test cases.
msg104363 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-27 21:08
Here is an updated patch for py3k (the previous one didn't apply cleanly).
msg105884 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-16 22:09
Here is an updated patch, following checkin of the new SSL contexts. Options can be specified as an `options` property on SSL contexts.
msg105887 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-16 22:39
Updated patch adds a couple of words about SSLv2 in the "security considerations" paragraph. Reviewing is welcome.
msg105889 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-16 23:28
It turns out SSL_CTX_clear_options() is not available before OpenSSL 0.9.8m. I adapted my patch to raise a ValueError when trying to clear options on older versions of OpenSSL. Setting additional options still works, though.
msg106185 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-20 20:05
I would like to move forward on this. Does anyone have any comments or objections to the current proposal?
msg106197 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2010-05-20 22:10
I like the approach of providing this feature as a single attribute instead of two separate methods (set/get_options()).
For what it's worth, I took a look at the patch without actually trying it, and it looks good overall, both tests and documentation which is particularly clear.
msg106222 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-21 09:57
This was committed in r81392.
Date User Action Args
2022-04-11 14:56:43adminsetgithub: 49120
2010-05-21 09:57:16pitrousetstatus: open -> closed
resolution: fixed
messages: + msg106222

stage: patch review -> resolved
2010-05-20 22:10:50giampaolo.rodolasetmessages: + msg106197
2010-05-20 20:05:13pitrousetmessages: + msg106185
2010-05-16 23:28:07pitrousetfiles: + sslopts4.patch

messages: + msg105889
2010-05-16 22:39:49pitrousetfiles: - sslopts3.patch
2010-05-16 22:39:43pitrousetfiles: + sslopts3.patch

messages: + msg105887
2010-05-16 22:20:38pitrousetfiles: + sslopts3.patch
2010-05-16 22:20:28pitrousetfiles: - sslopts3.patch
2010-05-16 22:09:18pitrousetfiles: + sslopts3.patch
nosy: + exarkun, heikki
messages: + msg105884

2010-04-27 21:16:03pitroulinkissue3596 superseder
2010-04-27 21:08:59pitrousetfiles: + sslopts2.patch

messages: + msg104363
2010-04-20 23:28:10pitrousetfiles: + sslopts.patch
nosy: + pitrou
messages: + msg103792

2010-04-20 20:52:20pitrousetresolution: accepted -> (no value)
versions: + Python 3.2, - Python 2.6, Python 3.0, Python 3.1, Python 2.7
2010-01-13 01:56:20brian.curtinsetpriority: normal
stage: needs patch -> patch review
2010-01-13 01:49:37jeremy.klothsetfiles: + issue4870.diff

nosy: + jeremy.kloth
messages: + msg97679

keywords: + patch
2009-01-07 19:15:23giampaolo.rodolasetmessages: + msg79364
2009-01-07 19:07:01janssensetassignee: janssen
resolution: accepted
messages: + msg79362
stage: needs patch
2009-01-07 18:11:43giampaolo.rodolacreate