Message 146358 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	barry
Recipients	barry, eric.araujo, janssen, nadeem.vawda, pitrou, vstinner
Date	2011-10-25.11:31:02
SpamBayes Score	3.0558889e-12
Marked as misclassified	No
Message-id	<20111025073050.174628cb@limelight.wooz.org>
In-reply-to	<1319536368.15328.2.camel@localhost.localdomain>

Content
On Oct 25, 2011, at 09:56 AM, Antoine Pitrou wrote: > >Antoine Pitrou <pitrou@free.fr> added the comment: > >> It looks like it's been this way for a long time too. > >But tests have always passed here using OpenSSL 1.0.0. Right, sorry, what I meant was this particular behavior (switching to SSLv3 client hello when SSLv2 is disabled) appears to have been in upstream openssl since about 2005. What's changed recently is that instead of patching openssl to disable SSLv2 (and thereby not triggering the client hello switch), Debian has started to use the no-ssl Configure option, which is what probably started allowing this test to unexpectedly succeed. >> It's probably too difficult, and not really Python's responsibility, >> to determine whether SSL_OP_NO_SSLv2 is set. > >See http://docs.python.org/dev/library/ssl.html#ssl.SSLContext.options Interesting, thanks for the pointer. >> Rather, I think the test is simply bogus and should be disabled or >> removed. > >I think it would be good to keep a simplified/minimal (and, of course, >working :-)) version of these tests. >Patches welcome, anyway. I can't really test with Debian's OpenSSL. I'll work up a patch. -Barry

On Oct 25, 2011, at 09:56 AM, Antoine Pitrou wrote:

>
>Antoine Pitrou <pitrou@free.fr> added the comment:
>
>> It looks like it's been this way for a long time too.
>
>But tests have always passed here using OpenSSL 1.0.0.

Right, sorry, what I meant was this particular behavior (switching to SSLv3
client hello when SSLv2 is disabled) appears to have been in upstream openssl
since about 2005.  What's changed recently is that instead of patching openssl
to disable SSLv2 (and thereby not triggering the client hello switch), Debian
has started to use the no-ssl Configure option, which is what probably started
allowing this test to unexpectedly succeed.

>> It's probably too difficult, and not really Python's responsibility,
>> to determine whether SSL_OP_NO_SSLv2 is set.
>
>See http://docs.python.org/dev/library/ssl.html#ssl.SSLContext.options

Interesting, thanks for the pointer.

>> Rather, I think the test is simply bogus and should be disabled or
>> removed.
>
>I think it would be good to keep a simplified/minimal (and, of course,
>working :-)) version of these tests.
>Patches welcome, anyway. I can't really test with Debian's OpenSSL.

I'll work up a patch.

-Barry

History
Date	User	Action	Args
2011-10-25 11:31:03	barry	set	recipients: + barry, janssen, pitrou, vstinner, nadeem.vawda, eric.araujo
2011-10-25 11:31:02	barry	link	issue13218 messages
2011-10-25 11:31:02	barry	create