Author dstufft
Recipients alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou, vstinner
Date 2014-10-14.23:30:21
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1413329421.39.0.209593946291.issue22638@psf.upfronthosting.co.za>
In-reply-to
Content
OpenSSL generally doesn't have bad options disabled until they are years old. OpenSSL takes the stance that it's up to the consumers of the OpenSSL API to properly configure themselves.

Also it's important to note that TLS_FALLBACK_SCSV isn't actually a work around for the SSL 3.0 problem. There is no work around for that, you can only disable SSL 3.0. TLS_FALLBACK_SCSV is completely unrelated to Python because it's a work around for the fact that browsers will re-attempt a TLS connection if the first one fails with a lower protocol verison which means a MITM can force your connection back to SSL 3.0 even if both the client and the server support TLS 1.2. I'm not 100% sure but I don't believe Python has such a dance so TLS_FALLBACK_SCSV does nothing for us.
History
Date User Action Args
2014-10-14 23:30:21dstufftsetrecipients: + dstufft, janssen, pitrou, vstinner, giampaolo.rodola, christian.heimes, alex
2014-10-14 23:30:21dstufftsetmessageid: <1413329421.39.0.209593946291.issue22638@psf.upfronthosting.co.za>
2014-10-14 23:30:21dstufftlinkissue22638 messages
2014-10-14 23:30:21dstufftcreate