This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients alex, christian.heimes, dstufft, pitrou
Date 2014-03-22.18:13:39
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1395512016.2300.2.camel@fsol>
In-reply-to <>
> We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's
> sort of a situational thing. If you're doing something where you need
> SSL3 clients you don't want OP_NO_SSLv3.
> So I guess the question is, do we want to be more secure by default
> and *not* lower the lower bounds of security and require people to add
> context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3
> connections?

Most people won't understand the symptoms if some clients can't connect,
so I'd say no.
Also, clients should always use the higher possible protocol version, so
I don't think security is at stake here.
Date User Action Args
2014-03-22 18:13:39pitrousetrecipients: + pitrou, christian.heimes, alex, dstufft
2014-03-22 18:13:39pitroulinkissue21013 messages
2014-03-22 18:13:39pitroucreate