Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a way to disable SSLv2 (or better yet, disable by default) #47846

Closed
heikki mannequin opened this issue Aug 19, 2008 · 4 comments
Closed

Provide a way to disable SSLv2 (or better yet, disable by default) #47846

heikki mannequin opened this issue Aug 19, 2008 · 4 comments
Labels
stdlib Python modules in the Lib dir type-security A security issue

Comments

@heikki
Copy link
Mannequin

heikki mannequin commented Aug 19, 2008

BPO 3596
Nosy @pitrou, @giampaolo
Superseder
  • bpo-4870: ssl module is missing SSL_OP_NO_SSLv2
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2010-04-27.21:16:03.929>
created_at = <Date 2008-08-19.03:06:16.068>
labels = ['type-security', 'library']
title = 'Provide a way to disable SSLv2 (or better yet, disable by default)'
updated_at = <Date 2010-04-27.21:16:03.928>
user = 'https://bugs.python.org/heikki'

    bugs.python.org fields:

    activity = <Date 2010-04-27.21:16:03.928>
actor = 'pitrou'
assignee = 'none'
closed = True
closed_date = <Date 2010-04-27.21:16:03.929>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2008-08-19.03:06:16.068>
creator = 'heikki'
dependencies = []
files = []
hgrepos = []
issue_num = 3596
keywords = []
message_count = 4.0
messages = ['71404', '72447', '103749', '104364']
nosy_count = 4.0
nosy_names = ['janssen', 'pitrou', 'giampaolo.rodola', 'heikki']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = None
status = 'closed'
superseder = '4870'
type = 'security'
url = 'https://bugs.python.org/issue3596'
versions = ['Python 2.7', 'Python 3.2']
    @heikki
    Copy link
    Mannequin Author

    heikki mannequin commented Aug 19, 2008

    There should be a way to disable SSLv2 since it is insecure. It would be
    even better if SSLv2 was disabled out of the box, but maybe there could
    be a way to re-enable it.

    I made the default to disable SSLv2 in M2Crypto, but those that want it
    can explicitly request unsecure connection. You can take a look at
    http://svn.osafoundation.org/m2crypto/trunk/M2Crypto/SSL/Context.py to
    see how I did it.

    Modern web browsers are also removing SSLv2 support from them, so it
    should be really rare to actually need v2 anywhere.

    @heikki heikki mannequin added stdlib Python modules in the Lib dir type-security A security issue labels Aug 19, 2008
    @janssen
    Copy link
    Mannequin

    janssen mannequin commented Sep 4, 2008

    We might consider this for 3.x. We didn't want to do this for 2.6, to
    maintain compatibility with the older socket.ssl module in Python.

    @pitrou
    Copy link
    Member

    pitrou commented Apr 20, 2010

    The new "ciphers" argument in trunk and py3k should do the trick, shouldn't it?
    Do note that starting with OpenSSL 1.0.0, SSLv2 is disabled by default when using the "SSLv23" client method (you can re-enable it by specifying "ALL" for the cipher list).

    @pitrou
    Copy link
    Member

    pitrou commented Apr 27, 2010

    Someone else requested it and even provided a patch. See you on bpo-4870.

    @pitrou pitrou closed this as completed Apr 27, 2010
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    stdlib Python modules in the Lib dir type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @giampaolo @pitrou